Possibly 350K ransomware infections, $70K earned, in Dropbox phishing scheme


Attackers may have infected nearly 350,000 systems with ransomware and earned more than $70,000 in Bitcoins as part of an ongoing Dropbox phishing scheme, according to researchers with PhishMe.

Phishing emails containing links to Dropbox started coming in early last week and PhishMe security experts began noticing a new wave on Friday, according to a post by Ronnie Tokazowski, a senior researcher with PhishMe.

The emails purport to be “incoming fax reports” and the links do take users to Dropbox, but downloading the ZIP file and running the executable contained within results in users being hit by CryptoWall ransomware, Tokazowski wrote.

Upon infection, the user's default web browser opens to a page explaining that all files on the system have been locked up using the RSA-2048 encryption algorithm. Victims are then urged to visit a site on the Tor network, which demands a $500 Bitcoin ransom that jumps to $1,000 after a few days.

One of the distinguishing elements of the attack is that the phishers are using a base 36 numeral system, a writing system for expressing numbers that, in this case, sequentially uses digits zero through nine followed by letters A through Z. Tokazowski observed this after noticing that the “numbers” at the end of the Tor site URLs were incrementing upon every infection.

With this, Tokazowski determined that 348,637 systems have potentially been infected, according to the post, which adds that half of the infections are likely to be from sandboxes, researchers and malware analysts.

“This is the first time I have seen attackers use a base 36 number scheme,” Tokazowski told in Friday email correspondence, explaining attackers will normally use a base 10 (decimal) or a base 16 (hex) system.

He added, “They are doing this on purpose, as they can keep track of more hosts by sending less data in the URL. With base 10, an attacker could only keep track of 9,999 different hosts. Using base 36, an attacker could track 1,727,604 different computers using 4 digits.”

On the Tor site, the attackers tell victims to send ransoms to specific Bitcoin wallet addresses. Following an analysis, Tokazowski determined that those wallets had transferred funds to what appears to be the main wallet owned by the attackers.

As of Monday, that main wallet has received 109.529 Bitcoins, or nearly $71,000.

“We are currently unaware of the geolocation origin of the attacks,” Tokazowski said. “We have not had any users become infected, however the attackers offer a chance to ‘decrypt' a single file in order to test that it works. I'm operating on the assumption that the attackers will decrypt the data once the ransom is paid.”

On Friday, CBS Boston reported that the police department computer system in Durham, New Hampshire was infected with CryptoWall ransomware after an officer opened a file attachment in an email that appeared to be legitimate. The department refuses to pay the ransom and the systems will be restored from backups.

UPDATE: “We're aware of the issue and will revoke the ability to share links from accounts that violate our Acceptable Use Policy,” a Dropbox spokesperson told on Monday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.