CryptoWall Infections Fell Dramatically Over Past Year

While the groups using CryptoWall version 4 attempted to spread the ransomware to millions of users, they likely took in less than $18 million, according to an industry report.

CryptoWall ransomware

The well-known CryptoWall ransomware has run into a wall of its own.

Over the past year, the criminals behind CryptoWall have seen their profit drop dramatically, according to a report published by the Cyber Threat Alliance, a group of eight security companies that exchange information on current cyber-threats. During the first 10 months of 2015, CryptoWall version 3 infected "hundreds of thousands of victims," resulting in an estimated $325 million in revenue. From November 2015 to June 2016, however, the latest CryptoWall, version 4, took in only about $18 million, according to a report released by the CTA on Sept. 26.

"The CryptoWall authors … showed persistence with the creation of the fourth variant of CryptoWall and characteristically held true to the tenacity of advanced cybercriminals," the CTA stated in the report. "Fortunately, CW4 was materially less damaging."

The decline in damages came as the groups using CryptoWall ramped up their attempts at infecting users. The Cyber Threat Alliance detected 7.2 million attempted attacks, according to the report. With only 36,114 confirmed victims, that's a 0.5 percent success rate—much lower than last year's double-digit rate. The exact success rate for version 3 is not clear, however.

India became a significant target of the latest version of CryptoWall, just behind the United States in terms of the impact felt from the malware, the report stated.

Otherwise, version 3 and version 4 of the CryptoWall ransomware were not very different, according to the CTA report. Both CW3 and CW4 use email phishing campaigns and exploit kits to spread the malware. The average ransom for both was 1 Bitcoin.

"After the release of our report, the actor changed a few things like the ransom notification," Christiaan Beek, director of strategic intelligence and operations for Intel Security, told eWEEK in an email interview. "Both important files and their names were encrypted and unique identifiers were removed—hence the adoption of V4."

The decline of CryptoWall has not ended the threat of ransomware, however. Two other major ransomware families—Locky and Cerber—have begun to fill the void. Locky accounted for 42 percent of the ransomware detected during the three-month period ending on May 19, compared with 46 percent for CryptoWall and 12 percent for Cerber, according to the report.

"We no longer see the waves of CryptoWall samples as we used to," said Intel's Beek. "That position has been taken over by Locky."

Moreover, because ransomware is an easy way to turn a compromised computer into cash, criminals will continue to use the technique. Because gray-market software developers continue to develop easy-to-use ransomware with support, less technical criminals can quickly learn to use the software.

"We see a shift where many are attracted to the financial gain and don't need to have the necessary technical skills," Beek said. "You can buy yourself into an affiliate program where 20 percent goes to the seller and you get 80 percent. In other cases, for $39 you can buy a piece of ransomware in the underground with lifelong support."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...