Nearly 350,000 systems may have been infected with CryptoWall ransomware as part of a Dropbox phishing scheme.
Nearly 350,000 systems may have been infected with CryptoWall ransomware as part of a Dropbox phishing scheme.

Attackers may have infected nearly 350,000 systems with ransomware and earned more than $70,000 in Bitcoins as part of an ongoing Dropbox phishing scheme, according to researchers with PhishMe.

Phishing emails containing links to Dropbox started coming in early last week and PhishMe security experts began noticing a new wave on Friday, according to a post by Ronnie Tokazowski, a senior researcher with PhishMe.

The emails purport to be “incoming fax reports” and the links do take users to Dropbox, but downloading the ZIP file and running the executable contained within results in users being hit by CryptoWall ransomware, Tokazowski wrote.

Upon infection, the user's default web browser opens to a page explaining that all files on the system have been locked up using the RSA-2048 encryption algorithm. Victims are then urged to visit a site on the Tor network, which demands a $500 Bitcoin ransom that jumps to $1,000 after a few days.

One of the distinguishing elements of the attack is that the phishers are using a base 36 numeral system, a writing system for expressing numbers that, in this case, sequentially uses digits zero through nine followed by letters A through Z. Tokazowski observed this after noticing that the “numbers” at the end of the Tor site URLs were incrementing upon every infection.

With this, Tokazowski determined that 348,637 systems have potentially been infected, according to the post, which adds that half of the infections are likely to be from sandboxes, researchers and malware analysts.

“This is the first time I have seen attackers use a base 36 number scheme,” Tokazowski told in Friday email correspondence, explaining attackers will normally use a base 10 (decimal) or a base 16 (hex) system.

He added, “They are doing this on purpose, as they can keep track of more hosts by sending less data in the URL. With base 10, an attacker could only keep track of 9,999 different hosts. Using base 36, an attacker could track 1,727,604 different computers using 4 digits.”

On the Tor site, the attackers tell victims to send ransoms to specific Bitcoin wallet addresses. Following an analysis, Tokazowski determined that those wallets had transferred funds to what appears to be the main wallet owned by the attackers.