A brand new report from Cyber Threat Alliance showed the staggering damage caused by a single criminal Eastern European cyber mafia. The CTA is an industry group with big-name members like Intel, Palo Alto Networks, Fortinet and Symantec and was created last year to warn about emerging cyber threats.
We have warned here many times about the pervasiveness of Cryptowall, a new strain of ransomware which has Cryptolocker as its predecessor. Cryptowall poses a danger to both consumers and businesses, once a machine is infected and there is no recent backup, the files are lost forever. This is highly sophisticated, bullet proof code with unbreakable encryption.
The CTA chose Cryptowall as its first major project, discovered over 4,000 malware samples relating to CryptoWall 3.0 and well over 800 URLs of Command & Control servers. The area most targeted was the USA, likely because it is a target-rich environment. Around half of all Cryptowall victims were American.
Over 406,000 attempted infections were discovered by the CTA researchers —primarily phishing emails which were 67.3% and Exploit Kits (EK) which were 30.7%. The majority of the phishing emails were sent in the January-April 2015 time frame, with the attackers changing their tactics in May when they concentrated more on exploit kits like the Angler EK.
The CTA did a thorough analysis of all the Bitcoin paid, and came to the conclusion that despite a sophisticated obfuscation scheme, all monies paid ultimately flowed to the same criminal gang. Bitcoin transactions are recorded in a public ledger known as the blockchain, so it is possible to analyze ransomware transactions. Cryptowall made it especially hard for researchers, and gave a different bitcoin wallet address to each victim, with the funds then dispersed among many other bitcoin wallets to cover their tracks. "It was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity," CTA wrote.
The report paints a picture of a professionally-run operation with unbreakable encryption which means most businesses infected make a pragmatic decision to pay the ransom, normally around 500 dollars. Even an FBI agent last week was quoted that if you had no backup, it was best to pay the ransom to get your files back.
The CTA concluded: "When looking at the number of victims providing payment for the Cryptowall 3.0 ransomware, it becomes clear that this business model is extremely successful and continues to provide significant income for this group." All in all, the estimate is about 325 Million dollars, and there is no end in sight. It is likely that Cryptowall will be the first ransomware strain that breaks the half billion dollar mark in damage.
The report doesn't go into specifics where members of this cyber mafia are located. However, if you look into the Cryptowall 3.0 code itself, it leaves a very clear clue. If it detects that it is running on any PC in either Belarus, Ukraine, Russia, Kazakhstan, Armenia or Serbia, it will uninstall itself.
SophosLabs threat researcher Anand Ajjan says CryptoWall has the same code as CryptoLocker, and only differs in the name. The evil genius behind both ransomware strains is FBI’s most wanted list of cybercriminals: Russian hacker Evgeniy Bogachev. Bogachev, the authorities believe, was responsible for operating both GameOver Zeus which captures banking credentials and then authorize transfers from their accounts and CryptoLocker which together have infected hundreds of thousands of machines.
Since one of the major Cryptowall infection vectors is email, it makes a lot of sense to step end-users through effective security awareness training which can prevent extremely expensive ransomware infections caused by phishing emails. Find out how affordable this is for your organization and be pleasantly surprised.