Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/29/2015
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

With $325 Million In Extorted Payments CryptoWall 3 Highlights Ransomware Threat

Study by Cyber Threat Alliance reveals sophisticated nature of the latest version of CryptoWall

A new report from the Cyber Threat Alliance (CTA) on the latest version of the CryptoWall malware family helps illustrate why ransomware has emerged as one of the biggest threats to web users in recent times.

Since researchers first sported CryptoWall Version 3 (CW3) in January this year, the ransomware has been used to extort a staggering $325 million from tens of thousands of victims worldwide. The victims include both businesses and individuals, many of whom are based in North America.

The CTA, an eight-vendor coalition that includes Fortinet, Intel Security, Palo Alto Networks, and Symantec, said its review of CW3 revealed some 407,000 attempted infections worldwide since the beginning of this year. Security researchers from the CTA’s member organizations also discovered a total of 4,046 malware samples, 839 command-and-control URLs, five second-tier IP addresses and 49 campaign code identifiers associated with the malware.

The CTA report is an attempt by the alliance to show how threat intelligence sharing and collaboration among vendors can help bolster industry-wide cybersecurity.

According to the CTA, CryptoWall 3 is being primarily distributed through phishing emails and exploit kits. In about two-thirds of the attempted infections, victims received a phishing email with an attachment titled "internal," "fax," "invoice" or some other similarly innocuous name. More recently, cyber attackers have begun using well-known exploit kits like Angler to distribute CryptoWall 3 to victim systems, the CTA researchers said. Angler is designed to inject payloads like CW3 directly into the victim systems’ memory in completely encrypted fashion to avoid detection and removal by anti-malware tools.

The details around CW3 point to the size and scope of the ransomware problem.

Ransomware is basically malware that attackers have been using with increasing frequency to extort money from victims by first encrypting all data on their systems and then demanding a ransom in return for the encryption key.

Attackers typically require victims to pay up in Bitcoins through pay sites set up primarily to collect the ransoms. As the CTA report notes, ransom amounts typically range from a few hundred dollars to over one thousand dollars. Ransom amounts can change and often even double based on how long it takes for the victim to pay up. Typically, victims get the decryption key once the ransom has been paid.

The CryptoWall ransomware family is just one in a growing collection of tools being used to extort money from victims. Older examples include CryptoLocker and TorrentLocker.

Security researchers consider ransomware to be a particularly pernicious problem because of how difficult it is for victims to recover their encrypted data without first paying up. The sophisticated encryption employed by CryptoWall and other ransomware is hard to break, so unless victims have a backup of their data the only option often is to pay up or lose the data.

The technology employed in CW3 demonstrates the high level of skill employed in building such tools says Rick Howard, chief security officer at Palo Alto Networks. “The evolution from Version 1 to version 3 is worthy of any legitimate development in the corporate world,” he says. “The complexity within obfuscation levels in both the Command and Control infrastructure and the Bitcoin payment infrastructure will make your head spin. Script kiddies do not do this,” Howard says.

In order for the business model to work, ransomware purveyors need a mature back office infrastructure, he said. “Essentially you need a world class customer support service to handle customer questions about the technical process for payment and decryption,” Howard said, pointing to the sophisticated nature of the ransomware ecosystem.

According to Howard, the researchers were able to track $325 million in ransom payments through the Bitcoin system. “Our estimate is conservatively low. We think it could easily be double that number but did not have the direct evidence to claim it.”

The FBI, which has been tracking the problem and warning businesses regularly about the seriousness of the threat, found itself in hot water recently after even one of its own agents was reported as saying that the best option for victims without a data backup might be to just pay up.

The recent emergence of malware services that allow almost anyone to buy and deploy ready-to-use ransomware kits against targets of their choice has sparked concerns of a potential commoditization of the threat in future.

The threat is often thought of as a consumer issue, but businesses are equally vulnerable to ransomware. Richard Stiennon, chief research analyst at IT-Harvest says ransomware has emerged as a top of mind issue for chief information security officers. “It is their number one fear,” he said. “There’s nothing that invokes a crisis like an executive with an infected system and all their data encrypted,” he says.

Despite vendor claims about the enormous ransom amounts being collected through such malware, its hard to know for sure how many of the victims are actually paying up and how much, Stiennon says. But given the growth in ransomware, there’s little doubt that cyber criminals are profiting enormously from it, he says.

In most cases, ransomware targets are just victims of opportunity, he adds. To mitigate the threat, the best strategy is to maintain proper data backups and to ensure that systems are properly updated and patched.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
10/31/2015 | 4:59:14 PM
Back up your data!
Please people, perform due diligence and don't let ransomware cripple us. Back up your data to a another source regularly. Make sure your OS has default backup settings enabled such as Windows "Previous Versions". This could save tons of money and headaches.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
10/31/2015 | 5:00:34 PM
Enterprise Level
How prevalent is Ransomware at the enterprise level with network drives? Are they affected in the same way a regular endpoint will be?
SgS125
50%
50%
SgS125,
User Rank: Ninja
11/2/2015 | 10:51:53 AM
accuracy of amount in question?
According to Howard, the researchers were able to track $325 million in ransom payments through the Bitcoin system. "Our estimate is conservatively low. We think it could easily be double that number but did not have the direct evidence to claim it."

 

So really you could say that is was only half as much with just as much confidence?

I often wonder where the numbers for this come from,  a guess may not be very newsworthy.

What evidence is there to prove it one way or another?
theb0x
100%
0%
theb0x,
User Rank: Ninja
11/4/2015 | 3:03:56 PM
Re: Back up your data!
There is a more simpler solution to protecting your data other than just backups.

Encrypt your data. CryptoWall can't encrypt files that are already encrypted by the end user.

The data can be decrypted on access which would lock the files currently opened. When the file is closed it is

automatically re-encrypted in realtime. As an extra layer of security it is also possible to encrypt volume shadow

copies of the files as the behavior of CryptoWall will automatically sdelete (Secure Delete) all shadow copy data

on the infected machine. I am no way suggesting not to backup your data. However, a proper retention policy

should also be correctly set to seven or more days. If a backup whether it be to a local, network drive, or cloud

based is not encrypted there remains the risk of the files being encrypted by the ransomware and changes of

modified files by CryptoWall propagating and overwriting the original backup of end user data. Also, CrytoWall

only affects files by extention (ie .docx, .qbw, .xlsx) If a file extention is modified to something completely

obscure in no relation with any application they will remain unaffected by this ransomware. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6287
PUBLISHED: 2020-07-14
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create a...
CVE-2020-6289
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
CVE-2020-6290
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
CVE-2020-6291
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
CVE-2020-6292
PUBLISHED: 2020-07-14
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.