Cryptowall Ransomware May Have Banked $325 Million for Its Developers

A new study from the Cyber Threat Alliance, an industry collective to look into emerging threats with members such as Palo Alto, Intel Security, Fortinet, and Symantec have discovered that the latest Cryptowall ransomware, in its version 3.0 may have siphoned up to $325 million for its developers.

Ransomware is a malicious program that essentially holds a targeted user’s computer for ransom without granting the victim any access to his/her files, unless, a ransom is paid for the access.

Cryptowall 3.0 operates by infecting targeted computers and encrypting data files on the hard drive quickly before demanding a ransom afterward, the study reveals.

Ransomware families are typically profitable for its developers as they tend to scare an end-used into paying up the ransom for a fear of losing their files. Although there is little recourse once affected, PC users are always advised to back up their files, regularly.

Here is a demonstration of how a ransomware from the same family works:

An interesting facet about Cryptowall 3.0 is that the latest version instructs victims to pay in bitcoin toward an address for the bitcoin wallet that is ostensibly used by the attackers.

The entire bitcoin infrastructure is built on a distributed decentralized and public ledger, the blockchain that makes it possible for one to study transactions. To circumvent this hiccup and evade discovery, the developers pin different bitcoin addresses in every scam targeting unique victims. To thoroughly confuse any onlookers, the bitcoin stash is then forwarded and dispensed to multiple accounts.

Commenting on the difficult nature to keep track of transactions due to the multitude of wallets being used, CTA wrote in its report:

It was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity.

Typically, the ransomware peddlers attack a group or community or even a country as a whole at the same time, with associated IDs designated to their respective campaigns.

Related article: CryptoWall Surpassing Expectations: Victims Paying Up to $2000 to Get Files Back

The CTA also refers to an example wherein a single campaign calling itself “crypt100” successfully infected nearly 15,000 computers globally and netted nearly $5 million. Altogether, the latest version of the ransomware may have totaled $325 million in revenue.

Furthermore, a code embedded in the ransomware might throw some light on where the developers may come from. If Cryptowall detects that it is running in any of the following countries, it will proceed to uninstall itself.

The countries are:

  • Armenia
  • Belarus
  • Kazakhstan
  • Russia
  • Serbia and
  • Ukraine