"CryptoWall ransomware, a file-encrypting program has infected over 625,000 computer systems in the past six months and has held over 5 Billion files hostage. Within the past few days there has been a new CryptoWall released called CryptoWall 3.0, this new program uses localization and passes traffic to a site where users can pay for their decryption keys through two anonymity networks '” Tor and I2P (the Invisible Internet Project). The Counter threat unit (CTU) at Dell executed a widespread analysis of CryptoWall that involved gathering data from its command and control servers, which tracked its variants and distribution methods and counting payments made by victims so far.
MOST DESTRUCTIVE RANSOMWARE THREAT ON INTERNET
The Counter Threat Unit at dell on Wednesday said ""CryptoWall is the largest and most destructive ransomware threat on the Internet at the moment and will likely continue to grow."" The ransomware program has been spreading since November 2013, the primary source of distribution has been using a variety of tactics including spam emails with malicious links or attachments, drive-by-download attacks from sites infected with exploit kits and through installations by other malware programs already downloaded on compromised computers. The CryptoWall command and control servers assign a different identifier to each infection and generate an RSA public-private key pairs for each. The public keys are sent to infected computers and each are used by the malware to encrypt files with extensions such as movies, images, documents, etc. that are stored on the local hard drive of the computer or on mapped network shares, which include cloud storage from services such as Dropbox and Google Drive. The encrypted files are completely locked and the only way to gain access is with the specific RSA private key which is in the possession of the attackers and is only released when ransom is paid in full.
625,000 SYSTEMS INFECTED AND 5.2 BILLION FILES
CTU researchers were able to figure out an estimate on the amount of computer that CryptoWall has spread to based off unique computer identifiers from the CryptoWall servers as well as information obtained about their IP address, approximate time of infection, and payment status. Nearly 625,000 systems were infected with CryptoWall between a 6 month period, affecting more than 5.25 billion files. The largest numbers of infected systems were located in the United States with 253,521 or 40.6% of all systems infected. The next most affected countries were Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582. Once the system is infected it CryptoWall will typically ask the user to pay the ransom in Bitcoin cryptocurrency, if not paid in the initial allotted time, on average is four to seven days the ransom amount increases. The CTU researchers observed payments that ranged between $200 and $10,000 in value, the majority of them (64 percent) being of $500. ""Of nearly 625,000 infections, 1,683 victims (0.27%) paid the ransom, for a total take of $1,101,900 over the course of six months,"" the CTU researchers said.
WHO IS VULNERABLE TO CRYPTOWALL?
As CryptoWall becomes more well-known, it will also become harder for the people behind it to successfully infect new victims. Mail filters that block phishing e-mails and application firewalls that use rules to block traffic to suspicious or known malicious websites with rules updated to catch CryptoWall before it can fully install will protect many enterprises. But individuals running older versions of Windows without good spam filtering and malware protection will continue to be at risk for some time. And given how much effort the people behind CryptoWall have put into this new release, there's sure to be another one dropping sometime soon to leapfrog malware detection systems again."
