CryptoWall has surpassed CryptoLocker in infection rates.
CryptoWall has surpassed CryptoLocker in infection rates.

With CryptoLocker seemingly out of commission, its less well-known twin CryptoWall has stepped out of the shadows and thrived, in a roughly five-month period infecting 625,000 victims worldwide, encrypting 5.25 billion files, collecting more than $1.1 million in ransoms and effectively surpassing its more famous sibling in infection rates, according to a threat analysis from Dell SecureWorks Counter Threat Unit researcher Keith Jarvis.

“CryptoWall's distribution is different in many respects, but they've infected 80k+ more machines (in 3 months less time) than CryptoLocker solely because they wanted to,” Jarvis told in an email correspondence. “At any time, [CryptoLocker]  could have infected millions of machines if they wanted to but they made the decision not to.” 

Once known as CryptoClone or CryptoDefender, CryptoWall is less sophisticated — both in terms of infrastructure and malware — than CryptoLocker but no less of a threat. But the ransom take for its authors has been less dramatic. 

“Despite infecting 15 percent more machines in 50 percent less time CryptoWall has only made 37 percent in ransoms of what CryptoLocker made,” Jarvis said. “That's the difference between very sophisticated criminals (like the Gameover Zeus gang) who can accept, cash out, and launder dozens of prepaid cards like MoneyPak per day,  versus a less mature group, like the CryptoWall operators, who have to accept bitcoins only (a currency they can sit on).”

CryptoWall victims typically paid between $200 to $2,000 in ransom to unlock their files, the company said, though one victim forked over $10,000. 

“We were surprised to see one victim was charged $10k,” Jarvis said. “ We don't know why they were targeted for that much money or what type of individual or organization they were. We know they are based in the U.S. and paid in early May.”

The two families of ransomware are similar that Dell SecureWorks researchers believe “the same threat actors may be responsible for both families, or that the threat actors behind both families are related,” Jarvis said in the threat analysis.

CTU researchers first began analyzing the ransomware that eventually became known as CryptoWall in February 2014, noting that it has been distributed at least since November 2013.

The infection vectors spreading CryptoWall have been varied — from browser exploit kits and drive-by downloads to malicious email attachments. The latter has been the primary mode of distribution since march with the Cutwail spam botnet being used to send download links, typically through the Upatre downloader which famously distributed Gameover Zeus until Operation Tovar took it down.