Possibly 350K ransomware infections, $70K earned, in Dropbox phishing scheme

Share this article:
Possibly 350K ransomware infections, $70K earned, in Dropbox phishing scheme
Nearly 350,000 systems may have been infected with CryptoWall ransomware as part of a Dropbox phishing scheme.

Attackers may have infected nearly 350,000 systems with ransomware and earned more than $70,000 in Bitcoins as part of an ongoing Dropbox phishing scheme, according to researchers with PhishMe.

Phishing emails containing links to Dropbox started coming in early last week and PhishMe security experts began noticing a new wave on Friday, according to a post by Ronnie Tokazowski, a senior researcher with PhishMe.

The emails purport to be “incoming fax reports” and the links do take users to Dropbox, but downloading the ZIP file and running the executable contained within results in users being hit by CryptoWall ransomware, Tokazowski wrote.

Upon infection, the user's default web browser opens to a page explaining that all files on the system have been locked up using the RSA-2048 encryption algorithm. Victims are then urged to visit a site on the Tor network, which demands a $500 Bitcoin ransom that jumps to $1,000 after a few days.

One of the distinguishing elements of the attack is that the phishers are using a base 36 numeral system, a writing system for expressing numbers that, in this case, sequentially uses digits zero through nine followed by letters A through Z. Tokazowski observed this after noticing that the “numbers” at the end of the Tor site URLs were incrementing upon every infection.

With this, Tokazowski determined that 348,637 systems have potentially been infected, according to the post, which adds that half of the infections are likely to be from sandboxes, researchers and malware analysts.

“This is the first time I have seen attackers use a base 36 number scheme,” Tokazowski told SCMagazine.com in Friday email correspondence, explaining attackers will normally use a base 10 (decimal) or a base 16 (hex) system.

He added, “They are doing this on purpose, as they can keep track of more hosts by sending less data in the URL. With base 10, an attacker could only keep track of 9,999 different hosts. Using base 36, an attacker could track 1,727,604 different computers using 4 digits.”

On the Tor site, the attackers tell victims to send ransoms to specific Bitcoin wallet addresses. Following an analysis, Tokazowski determined that those wallets had transferred funds to what appears to be the main wallet owned by the attackers.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.