Incident Response, Malware, TDR

CryptoWall surpasses CryptoLocker in infection rates


With CryptoLocker seemingly out of commission, its less well-known twin CryptoWall has stepped out of the shadows and thrived, in a roughly five-month period infecting 625,000 victims worldwide, encrypting 5.25 billion files, collecting more than $1.1 million in ransoms and effectively surpassing its more famous sibling in infection rates, according to a threat analysis from Dell SecureWorks Counter Threat Unit researcher Keith Jarvis.

“CryptoWall's distribution is different in many respects, but they've infected 80k+ more machines (in 3 months less time) than CryptoLocker solely because they wanted to,” Jarvis told in an email correspondence. “At any time, [CryptoLocker]  could have infected millions of machines if they wanted to but they made the decision not to.” 

Once known as CryptoClone or CryptoDefender, CryptoWall is less sophisticated — both in terms of infrastructure and malware — than CryptoLocker but no less of a threat. But the ransom take for its authors has been less dramatic. 

“Despite infecting 15 percent more machines in 50 percent less time CryptoWall has only made 37 percent in ransoms of what CryptoLocker made,” Jarvis said. “That's the difference between very sophisticated criminals (like the Gameover Zeus gang) who can accept, cash out, and launder dozens of prepaid cards like MoneyPak per day,  versus a less mature group, like the CryptoWall operators, who have to accept bitcoins only (a currency they can sit on).”

CryptoWall victims typically paid between $200 to $2,000 in ransom to unlock their files, the company said, though one victim forked over $10,000. 

“We were surprised to see one victim was charged $10k,” Jarvis said. “ We don't know why they were targeted for that much money or what type of individual or organization they were. We know they are based in the U.S. and paid in early May.”

The two families of ransomware are similar that Dell SecureWorks researchers believe “the same threat actors may be responsible for both families, or that the threat actors behind both families are related,” Jarvis said in the threat analysis.

CTU researchers first began analyzing the ransomware that eventually became known as CryptoWall in February 2014, noting that it has been distributed at least since November 2013.

The infection vectors spreading CryptoWall have been varied — from browser exploit kits and drive-by downloads to malicious email attachments. The latter has been the primary mode of distribution since march with the Cutwail spam botnet being used to send download links, typically through the Upatre downloader which famously distributed Gameover Zeus until Operation Tovar took it down.

What started as a low-level infection rate in February saw a marked growth in mid-May after threat actors boosted the volume of distribution, Jarvis wrote in the threat analysis.

While early distribution showed “a bias towards systems in Asian and Middle Eastern countries,” later campaigns have ensured that “every nation in the world had at least one victim” with most infections occurring in the U.S. as a result of Cutwail spam targeting English-speaking users.

At the time that researchers were analyzing CryptoWall, they noted that the variants “terminate after successfully encrypting files and notifying the C2 server” but “may not be executing in memory on systems affected by these variants.” However, “the persistence mechanisms remain,” which ensures that the malware will run when a system is rebooted, Jarvis wrote in the threat analysis.

CryptoWall does not nab user credentials, files or metadata, the researchers found, and a functionality that early variants used “to transmit a screenshot of the infected system back to the C2 server” has been included since mid-March. 

“The threat is nearly identical to CryptoLocker: the cost of extortion versus the cost of losing valuable data,” Jarvis told “One mitigating factor with a CW vs CL infection is the former does NOT come along with a Gameover Zeus infection,  so you aren't dealing with those other aspects which include: credential theft, DDOS, banking fraud, etc. Though, CryptoWall sometimes does get implemented onto victim's computers, along side other malware families.”

According to the threat analysis, CryptoWall is “the largest and most destructive ransomware threat on the Internet” and is expected to “continue growing.” But Jarvis told that he expects "to see ransomware that 'destroys files' become the new normal." In fact, the most of the major ransomware families, such as Reveton and Urausy, "are evolving into more sophisticated threats in parallel with those like CryptoWall and CryptoLocker."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.