CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files
A file-encrypting ransomware program called CryptoWall infected over 600,000 computer systems in the past six months and held 5 billion files hostage, earning its creators more than $1 million, researchers found.
The Counter Threat Unit (CTU) at Dell SecureWorks performed an extensive analysis of CryptoWall that involved gathering data from its command-and-control (C&C) servers, tracking its variants and distribution methods and counting payments made by victims so far.
CryptoWall is the largest and most destructive ransomware threat on the Internet at the moment and will likely continue to grow.
CryptoLocker asked victims for ransoms between $100 and $500 to recover their encrypted files and is estimated to have earned its creators around $3 million over 9 months of operation. The threat was shut down at the end of May following a multi-national law enforcement operation that had support from security vendors.
CryptoWall filled the void left by CryproLocker on the ransomware landscape through aggressive distribution using a variety of tactics that included spam emails with malicious links or attachments, drive-by-download attacks from sites infected with exploit kits and through installations by other malware programs already running on compromised computers.
Early versions of CryptoWall (left) copied Cryptolocker (right) in both execution and design, Dell Secureworks reports.
The CryptoWall command-and-control servers assign a unique identifier to every infection and generate RSA public-private key pairs for each one.
The public keys are sent to infected computers and are used by the malware to encrypt files with popular extensions—movies, images, documents, etc.—that are stored on local hard drives, as well as on mapped network shares, including those from cloud storage services like Dropbox and Google Drive.
“Between mid-March and August 24, 2014, nearly 625,000 systems were infected with CryptoWall,” the CTU researchers said. “In that same timeframe, CryptoWall encrypted more than 5.25 billion files.”
The largest number of infected systems were located in the United States—253,521 or 40.6 percent of the total. The next most affected countries were Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582.
CryptoWall typically asks victims to pay the ransom in Bitcoin cryptocurrency, but earlier variants offered more payment options, including pre-paid cards like MoneyPak, Paysafecard, cashU, and Ukash.
The ransom amount grows if a victim doesn’t pay the ransom within the initial allotted time, which is usually between four and seven days. The CTU researchers observed payments that ranged between $200 and $10,000 in value, the majority of them (64 percent) being of $500.
“Of nearly 625,000 infections, 1,683 victims (0.27%) paid the ransom, for a total take of $1,101,900 over the course of six months,” the CTU researchers said.
This suggests that while CryptoWall managed to infect 100,000 more computers than CryptoLocker, it was less effective at generating income for its creators. Researchers determined in the past that 1.3 percent of CryptoLocker victims paid the ransom for a total of over 3 million dollars.
Here are some steps that you can take to minimize the risk of being infected.
1. Back up, back up, back up
It’s hard to state strongly enough the importance of backing up data. There are many systems available to back up corporate data, and note that a true backup means having the exact same data in at least two places at once. Preferably, your business has many copies, with a few older revisions, in locations not easily compromised.
But here’s the catch: Backups can get ransomware, too. A trojan-like Cryptolocker can infect and encrypt any drives that are connected to the hostage computer, share network volumes and even cloud data if local files are set to automatically sync whenever they’re modified. Having offline, offsite and write-protected backups is the only surefire way to avoid being at the mercy of ransomware.
2. Consider your operating system
Most ransomware is designed to infect Windows. Linux variants and Apple‘s OS X benefit from the sandboxing and security features of their underlying Unix foundation.
But, beware: Mac users are not off the hook.
Businesses who run Windows on their Macs may be putting their data in danger. Many Windows virtual machines share their Mac-side home folders and drives with Windows. If ransomware infects the Windows virtual machine and Mac-side data is shared, the ransomware will encrypt the Mac data, too.
3. Have Smart IT Policies
A healthy dose of skepticism is one of the best defenses against ransomware, and an informed user base is one that is less likely to fall prey to ransomeware schemes–especially the social engineering variety. Good communication between your Managed Service Provider and end-users is vital in this regard.
On the flip side, encourage end-users to ask questions, and don’t create a blame environment. If an end-user comes across a site that looks potentially unsafe (e.g.if a third-party service like Moneypak is involved, or the “FBI” requests payment in Bitcoin), teach them to be suspicious, speak out, and contact your Managed Service Provider instead of taking rash action based on fear.
Keeping Company Data Safe
Malware will continue to get more pernicious, clever and widespread. Ransomware is just the latest tool of dedicated criminals who are bent on coming up with new and inventive ways to exploit ordinary users and businesses alike. Defending against new waves of malware requires vigilance and–above all– better communication between IT departments and workers.
If your business is in need of a disaster recovery plan to avoid such a headache; Call CTI Technology today and we can help develop the right plan to protect your data and your business.
