The latest version of the CryptoWall ransomware program has raked in more than $325 million for the group behind the criminal operation, researchers from Cyber Threat Alliance stated in a report released on Oct. 29.
The Cyber Threat Alliance (CTA), a group of security companies that have pledged to share threat data with each other, combined a variety of information from its members to identify more than 4,000 malware samples, 800 command-and-control sites and 400,000 attempted infections. The 90-day research effort identified 49 different CryptoWall campaigns that likely caused at least $325 million in damages, according to the companies.
The operation used advanced malware, a complex command-and-control infrastructure and multiple layers of Bitcoin wallets to hide from researchers and law enforcement, Derek Manky, global security strategist for network security firm Fortinet, told eWEEK. Fortinet is a founding member of the CTA.
“Clearly they are going through a lot of obfuscation layers,” he said. “There are at least four or five layers of Bitcoin wallets; it has to go through all of them before it spits out to the final wallet.”
While CryptoWall is not a new attack, the research builds the most complete picture of the criminal campaign to date. Researchers first discovered the CrytoWall ransomware program in June 2014. The group behind the malware has regularly updated the codebase and released version 3 in January 2015. The CTA report analyzes the infrastructure behind that version of the criminal operation.
Sifting through more than 400,000 attempted infections, the researchers found that more than two-thirds of CryptoWall attacks begin with a phishing email carrying a malicious executable, while about a third of attacks use a link leading to an exploit kit that attempts to remotely compromise the victim’s system. Angler is a popular exploit kit for distributing CryptoWall, according to the report.
The group behind CryptoWall takes great pains to make it difficult to analyze the malware and its infrastructure. Not only does CryptoWall anonymize the command-and-control servers, but payments to the criminals are routed through multiple layers of redirection before ending up in the final destination wallet. Other components—such as the Angler exploit kit used to infect victims’ machines—also take steps to prevent analysis and avoid detection.
While it is not known from where the criminals are operating, the CryptoWall software will uninstall itself if the code detects it is running on a machine in Armenia, Belarus, Iran, Kazakhstan, Russia, Serbia or Ukraine, suggesting that the operators may be Eastern European residents.
For the Cyber Threat Alliance, the research effort, which it had code-named Project Redstone, proved that its members could work together, Rick Howard, chief security officer for Palo Alto Networks, told eWEEK. Palo Alto Networks is also a founding member of the CTA.
“This is a proof of concept for us. … Our aspirations is to be much bigger than this,” he said. “We don’t want to just track this one campaign, but track as many as we possibly can. This was our first shot at trying to do it together.”
The CTA estimates that there are about 5,000 adversary campaigns, which it refers to as playbooks. So far, the research into CryptoWall version 3 has revealed details of just one.