CryptoWall surpasses CryptoLocker in infection rates

Share this article:
Possibly 350k ransomware infections, $70k earned, in Dropbox phishing scheme
CryptoWall has surpassed CryptoLocker in infection rates.

With CryptoLocker seemingly out of commission, its less well-known twin CryptoWall has stepped out of the shadows and thrived, in a roughly five-month period infecting 625,000 victims worldwide, encrypting 5.25 billion files, collecting more than $1.1 million in ransoms and effectively surpassing its more famous sibling in infection rates, according to a threat analysis from Dell SecureWorks Counter Threat Unit researcher Keith Jarvis.

“CryptoWall's distribution is different in many respects, but they've infected 80k+ more machines (in 3 months less time) than CryptoLocker solely because they wanted to,” Jarvis told SCMagazine.com in an email correspondence. “At any time, [CryptoLocker]  could have infected millions of machines if they wanted to but they made the decision not to.” 

Once known as CryptoClone or CryptoDefender, CryptoWall is less sophisticated — both in terms of infrastructure and malware — than CryptoLocker but no less of a threat. But the ransom take for its authors has been less dramatic. 

“Despite infecting 15 percent more machines in 50 percent less time CryptoWall has only made 37 percent in ransoms of what CryptoLocker made,” Jarvis said. “That's the difference between very sophisticated criminals (like the Gameover Zeus gang) who can accept, cash out, and launder dozens of prepaid cards like MoneyPak per day,  versus a less mature group, like the CryptoWall operators, who have to accept bitcoins only (a currency they can sit on).”

CryptoWall victims typically paid between $200 to $2,000 in ransom to unlock their files, the company said, though one victim forked over $10,000. 

“We were surprised to see one victim was charged $10k,” Jarvis said. “ We don't know why they were targeted for that much money or what type of individual or organization they were. We know they are based in the U.S. and paid in early May.”

The two families of ransomware are similar that Dell SecureWorks researchers believe “the same threat actors may be responsible for both families, or that the threat actors behind both families are related,” Jarvis said in the threat analysis.

CTU researchers first began analyzing the ransomware that eventually became known as CryptoWall in February 2014, noting that it has been distributed at least since November 2013.

The infection vectors spreading CryptoWall have been varied — from browser exploit kits and drive-by downloads to malicious email attachments. The latter has been the primary mode of distribution since march with the Cutwail spam botnet being used to send download links, typically through the Upatre downloader which famously distributed Gameover Zeus until Operation Tovar took it down.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Skills in demand: Communications and messaging experts

Skills in demand: Communications and messaging experts

The demand for infosec-focused communications and messaging pros is growing.

Company news: New execs at Malwarebytes and an acquisition by VMware

The latest mergers and acquisitions and personnel moves, including Malwarebytes, Abacus Group, VMware, Bay Dynamics, vArmour, Secunia, Norse and more.

Bridging the talent gap in health care

Bridging the talent gap in health care

Cybercriminals are primarily after patient data as it really gets them more money.