A new report from the Cyber Threat Alliance (CTA) on the latest version of the CryptoWall malware family helps illustrate why ransomware has emerged as one of the biggest threats to web users in recent times.
Since researchers first sported CryptoWall Version 3 (CW3) in January this year, the ransomware has been used to extort a staggering $325 million from tens of thousands of victims worldwide. The victims include both businesses and individuals, many of whom are based in North America.
The CTA, an eight-vendor coalition that includes Fortinet, Intel Security, Palo Alto Networks, and Symantec, said its review of CW3 revealed some 407,000 attempted infections worldwide since the beginning of this year. Security researchers from the CTA’s member organizations also discovered a total of 4,046 malware samples, 839 command-and-control URLs, five second-tier IP addresses and 49 campaign code identifiers associated with the malware.
The CTA report is an attempt by the alliance to show how threat intelligence sharing and collaboration among vendors can help bolster industry-wide cybersecurity.
According to the CTA, CryptoWall 3 is being primarily distributed through phishing emails and exploit kits. In about two-thirds of the attempted infections, victims received a phishing email with an attachment titled "internal," "fax," "invoice" or some other similarly innocuous name. More recently, cyber attackers have begun using well-known exploit kits like Angler to distribute CryptoWall 3 to victim systems, the CTA researchers said. Angler is designed to inject payloads like CW3 directly into the victim systems’ memory in completely encrypted fashion to avoid detection and removal by anti-malware tools.
The details around CW3 point to the size and scope of the ransomware problem.
Ransomware is basically malware that attackers have been using with increasing frequency to extort money from victims by first encrypting all data on their systems and then demanding a ransom in return for the encryption key.
Attackers typically require victims to pay up in Bitcoins through pay sites set up primarily to collect the ransoms. As the CTA report notes, ransom amounts typically range from a few hundred dollars to over one thousand dollars. Ransom amounts can change and often even double based on how long it takes for the victim to pay up. Typically, victims get the decryption key once the ransom has been paid.
The CryptoWall ransomware family is just one in a growing collection of tools being used to extort money from victims. Older examples include CryptoLocker and TorrentLocker.
Security researchers consider ransomware to be a particularly pernicious problem because of how difficult it is for victims to recover their encrypted data without first paying up. The sophisticated encryption employed by CryptoWall and other ransomware is hard to break, so unless victims have a backup of their data the only option often is to pay up or lose the data.
The technology employed in CW3 demonstrates the high level of skill employed in building such tools says Rick Howard, chief security officer at Palo Alto Networks. “The evolution from Version 1 to version 3 is worthy of any legitimate development in the corporate world,” he says. “The complexity within obfuscation levels in both the Command and Control infrastructure and the Bitcoin payment infrastructure will make your head spin. Script kiddies do not do this,” Howard says.
In order for the business model to work, ransomware purveyors need a mature back office infrastructure, he said. “Essentially you need a world class customer support service to handle customer questions about the technical process for payment and decryption,” Howard said, pointing to the sophisticated nature of the ransomware ecosystem.
According to Howard, the researchers were able to track $325 million in ransom payments through the Bitcoin system. “Our estimate is conservatively low. We think it could easily be double that number but did not have the direct evidence to claim it.”
The FBI, which has been tracking the problem and warning businesses regularly about the seriousness of the threat, found itself in hot water recently after even one of its own agents was reported as saying that the best option for victims without a data backup might be to just pay up.
The recent emergence of malware services that allow almost anyone to buy and deploy ready-to-use ransomware kits against targets of their choice has sparked concerns of a potential commoditization of the threat in future.
The threat is often thought of as a consumer issue, but businesses are equally vulnerable to ransomware. Richard Stiennon, chief research analyst at IT-Harvest says ransomware has emerged as a top of mind issue for chief information security officers. “It is their number one fear,” he said. “There’s nothing that invokes a crisis like an executive with an infected system and all their data encrypted,” he says.
Despite vendor claims about the enormous ransom amounts being collected through such malware, its hard to know for sure how many of the victims are actually paying up and how much, Stiennon says. But given the growth in ransomware, there’s little doubt that cyber criminals are profiting enormously from it, he says.
In most cases, ransomware targets are just victims of opportunity, he adds. To mitigate the threat, the best strategy is to maintain proper data backups and to ensure that systems are properly updated and patched.