The technically savvy CryptoLocker ransomware compromised at least 200,000 computers and netted the criminals behind the scheme a minimum of $380,000—but more likely millions—in its first 100 days, according to an analysis conducted by managed-security firm Dell Secureworks.
CryptoLocker encrypts more than 70 different types of files on systems—including Microsoft Word and Excel, Adobe Illustrator and PDF files—and requires that the victim pay $300 for the key to unlock their files. In a report published in late December, Secureworks researchers conservatively estimated that at least 200,000 people were infected in the first 100 days and that 0.4 percent of victims paid the CryptoLocker gang for the decryption keys.
CryptoLocker has threatened thousands of firms with the specter of data loss, because a single infection also encrypts data on any connected network drives. In the past, most ransomware and rogue security-software attacks have essentially amounted to bluffs, locking the Windows desktop until the user pays, but not actually encrypting data. CryptoLocker, however, uses a combination of encryption techniques to scramble important files, making them unreadable unless the victim buys the decryption key, Keith Jarvis, senior security researcher with Dell Secureworks, told eWEEK.
"What sets it apart is not just the size and the professional ability of the people behind it, but that—unlike most ransomware, which is a bluff—this one actually destroys your files, and if you don't pay them, you lose the data," Jarvis said.
CryptoLocker started spreading in early September, initially disguised as spam email messages that appeared to be consumer complaints. When the attached zipped executable file is run, the program connects to a server on the Internet to retrieve an encryption key. Using that key, the program uses Microsoft's CryptoAPI to encrypt more than 70 different file types on the victim's system.
"By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent," the report stated.
By monitoring domains used by the ransomware, Secureworks researchers found that computers at nearly 32,000 IP addresses showed signs of infection over a 10-day period in late October and early November. During the second week of December, computers at another nearly 6,500 addresses showed signs of infection. While systems in the United States account for more than two-thirds of infections during the earlier period, the nation's portion of infections dropped to less than a quarter by December.
Secureworks used research by graduate student, Michele Spagnuolo, to count the number of victims who paid the criminals using Bitcoins. Spagnuolo found a way of forensically analyzing Bitcoin payments to find out information on the account holders. Duplicating the research led Secureworks researchers to find that one account tied to CryptoLocker collected 1,216 Bitcoins in the first 100 days, with a minimum value of $380,000.
Yet, the ransoms collected by the criminals likely totaled in the millions. Because the estimates were based on payments made in Bitcoins, a virtual online currency whose value fluctuates, the criminals could have made much more than the $380,000 minimum that the digital tokens were worth in that time period. In addition, more than 0.4 percent of victims have likely paid the ransom, but those payments are not visible to researchers because most victims in the United States would have used the primary payment method, MoneyPak, rather than Bitcoins, said Securework's Jarvis.
"I think the total is much higher," he said. "At least several multiples of it, at a minimum."