Ransomware Infects 625,000 Systems
Researchers at Dell SecureWorks Counter Threat Unit (CTU) released a report on their analysis of the CryptoWall ransomware system. CTU says it considers CryptoWall “the largest and most destructive ransomware threat on the Internet,” and they believe the threat will “continue growing.” Since its appearance in November 2013, CryptoWall has infected 625,000 systems. Like other ransomware tools, CryptoWall takes over the victim’s system, encrypts the hard drive, and then charges a fee to the victim to release the files. Dell estimates CryptoWall has earned more than US$ 1,100,000 for attackers by exacting ransom payments.
According to the report, “The ransom has frequently fluctuated at the whim of the botnet operators, and no exact pattern has been established that determines which victims receive a particular ransom value. Ransoms ranging from $200 to $2,000 have been demanded at various times by CryptoWall’s operators. The larger ransoms are typically reserved for victims who do not pay within the allotted time (usually 4 to 7 days). In one case, a victim paid $10,000 for the release of their files.”
The Dell SecureWorks team apparently registered a domain used by CryptoWall as a backup command and control center, allowing them to monitor the malware’s behavior and estimate the extent of its reach. Although the CryptoWall code is not as sophisticated as some ransomware alternatives, and the money-laundering enterprise isn’t as advanced, the creators have been very successful at distributing CryptoWall around the world, mostly through spam messages with embedded phishing links.
The report provides a detailed description of the malware’s behavior and some of the scam messages used to propagate it. As you might have already guessed, the best defenses are: back up your data and don’t click on unfamiliar links from untrusted sources.