Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:05 PM
Connect Directly

With $325 Million In Extorted Payments CryptoWall 3 Highlights Ransomware Threat

Study by Cyber Threat Alliance reveals sophisticated nature of the latest version of CryptoWall

A new report from the Cyber Threat Alliance (CTA) on the latest version of the CryptoWall malware family helps illustrate why ransomware has emerged as one of the biggest threats to web users in recent times.

Since researchers first sported CryptoWall Version 3 (CW3) in January this year, the ransomware has been used to extort a staggering $325 million from tens of thousands of victims worldwide. The victims include both businesses and individuals, many of whom are based in North America.

The CTA, an eight-vendor coalition that includes Fortinet, Intel Security, Palo Alto Networks, and Symantec, said its review of CW3 revealed some 407,000 attempted infections worldwide since the beginning of this year. Security researchers from the CTA’s member organizations also discovered a total of 4,046 malware samples, 839 command-and-control URLs, five second-tier IP addresses and 49 campaign code identifiers associated with the malware.

The CTA report is an attempt by the alliance to show how threat intelligence sharing and collaboration among vendors can help bolster industry-wide cybersecurity.

According to the CTA, CryptoWall 3 is being primarily distributed through phishing emails and exploit kits. In about two-thirds of the attempted infections, victims received a phishing email with an attachment titled "internal," "fax," "invoice" or some other similarly innocuous name. More recently, cyber attackers have begun using well-known exploit kits like Angler to distribute CryptoWall 3 to victim systems, the CTA researchers said. Angler is designed to inject payloads like CW3 directly into the victim systems’ memory in completely encrypted fashion to avoid detection and removal by anti-malware tools.

The details around CW3 point to the size and scope of the ransomware problem.

Ransomware is basically malware that attackers have been using with increasing frequency to extort money from victims by first encrypting all data on their systems and then demanding a ransom in return for the encryption key.

Attackers typically require victims to pay up in Bitcoins through pay sites set up primarily to collect the ransoms. As the CTA report notes, ransom amounts typically range from a few hundred dollars to over one thousand dollars. Ransom amounts can change and often even double based on how long it takes for the victim to pay up. Typically, victims get the decryption key once the ransom has been paid.

The CryptoWall ransomware family is just one in a growing collection of tools being used to extort money from victims. Older examples include CryptoLocker and TorrentLocker.

Security researchers consider ransomware to be a particularly pernicious problem because of how difficult it is for victims to recover their encrypted data without first paying up. The sophisticated encryption employed by CryptoWall and other ransomware is hard to break, so unless victims have a backup of their data the only option often is to pay up or lose the data.

The technology employed in CW3 demonstrates the high level of skill employed in building such tools says Rick Howard, chief security officer at Palo Alto Networks. “The evolution from Version 1 to version 3 is worthy of any legitimate development in the corporate world,” he says. “The complexity within obfuscation levels in both the Command and Control infrastructure and the Bitcoin payment infrastructure will make your head spin. Script kiddies do not do this,” Howard says.

In order for the business model to work, ransomware purveyors need a mature back office infrastructure, he said. “Essentially you need a world class customer support service to handle customer questions about the technical process for payment and decryption,” Howard said, pointing to the sophisticated nature of the ransomware ecosystem.

According to Howard, the researchers were able to track $325 million in ransom payments through the Bitcoin system. “Our estimate is conservatively low. We think it could easily be double that number but did not have the direct evidence to claim it.”

The FBI, which has been tracking the problem and warning businesses regularly about the seriousness of the threat, found itself in hot water recently after even one of its own agents was reported as saying that the best option for victims without a data backup might be to just pay up.

The recent emergence of malware services that allow almost anyone to buy and deploy ready-to-use ransomware kits against targets of their choice has sparked concerns of a potential commoditization of the threat in future.

The threat is often thought of as a consumer issue, but businesses are equally vulnerable to ransomware. Richard Stiennon, chief research analyst at IT-Harvest says ransomware has emerged as a top of mind issue for chief information security officers. “It is their number one fear,” he said. “There’s nothing that invokes a crisis like an executive with an infected system and all their data encrypted,” he says.

Despite vendor claims about the enormous ransom amounts being collected through such malware, its hard to know for sure how many of the victims are actually paying up and how much, Stiennon says. But given the growth in ransomware, there’s little doubt that cyber criminals are profiting enormously from it, he says.

In most cases, ransomware targets are just victims of opportunity, he adds. To mitigate the threat, the best strategy is to maintain proper data backups and to ensure that systems are properly updated and patched.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/4/2015 | 3:03:56 PM
Re: Back up your data!
There is a more simpler solution to protecting your data other than just backups.

Encrypt your data. CryptoWall can't encrypt files that are already encrypted by the end user.

The data can be decrypted on access which would lock the files currently opened. When the file is closed it is

automatically re-encrypted in realtime. As an extra layer of security it is also possible to encrypt volume shadow

copies of the files as the behavior of CryptoWall will automatically sdelete (Secure Delete) all shadow copy data

on the infected machine. I am no way suggesting not to backup your data. However, a proper retention policy

should also be correctly set to seven or more days. If a backup whether it be to a local, network drive, or cloud

based is not encrypted there remains the risk of the files being encrypted by the ransomware and changes of

modified files by CryptoWall propagating and overwriting the original backup of end user data. Also, CrytoWall

only affects files by extention (ie .docx, .qbw, .xlsx) If a file extention is modified to something completely

obscure in no relation with any application they will remain unaffected by this ransomware. 
User Rank: Ninja
11/2/2015 | 10:51:53 AM
accuracy of amount in question?
According to Howard, the researchers were able to track $325 million in ransom payments through the Bitcoin system. "Our estimate is conservatively low. We think it could easily be double that number but did not have the direct evidence to claim it."


So really you could say that is was only half as much with just as much confidence?

I often wonder where the numbers for this come from,  a guess may not be very newsworthy.

What evidence is there to prove it one way or another?
User Rank: Ninja
10/31/2015 | 5:00:34 PM
Enterprise Level
How prevalent is Ransomware at the enterprise level with network drives? Are they affected in the same way a regular endpoint will be?
User Rank: Ninja
10/31/2015 | 4:59:14 PM
Back up your data!
Please people, perform due diligence and don't let ransomware cripple us. Back up your data to a another source regularly. Make sure your OS has default backup settings enabled such as Windows "Previous Versions". This could save tons of money and headaches.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.