SANS security researcher Brad Duncan wrote in a November 24 ISC blog post that Cryptowall is usually associated with malicious spam and this is the first time he has noticed a version of the ransomware being delivered by an EK.
Duncan dubbed the cybergang responsible for the attacks the “BizCN gate actor" because the domains it uses have been registered through the Chinese registrar BizCN. Duncan said the group began sending the ransomware in payloads from the EK as early as November 20.
"Since this information is now public, the BizCN gate actor may change tactics. However, unless this actor initiates a drastic change, it can always be found again,” Duncan said in the post.