Security researchers warn of an increase in CryptoWall ransomware
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
October 23, 2014
Security researchers are warning the internet community of a serious increase in CryptoWall ransomware victims that started at the end of September and that will coincide with a campaign to spread a new variant of the malware though several advertising networks.
Overall, about 831,400 victims worldwide have been infected with the malware so far, a 25 percent increase in infections since late August when there were 625,000 victims, according to security researchers at Dell Secure Works.
Britain was one of the hardest hit regions when it comes to CryptoWall infections, with more than 40,000 victims. The ransoms demanded typically range from $200 to $2,000 and the larger sums usually are reserved for victims who do not pay within the allotted time (usually 4 to 7 days).
Data collected directly from the ransom payment server reveals that a total of $1,101,900 in ransoms had been paid from March through August 2014 to the CryptoWall criminals.
In the three months since a further 205,000 new victims have been claimed, doubtless increasing the total take to $1.4 million or more, according to Dell SecureWorks.
In its most basic form, CryptoWall is a strain of file-encrypting ransomware that encrypts files on infected Windows PCs and attached storage devices with RSA-2048 encryption before demanding a ransom for the private key needed to recover scrambled documents.
CryptoWall was first distributed in early November 2013, but the threat only went prime-time around February of this year.
To be sure, early CryptoWall variants closely mimicked both the behavior and appearance of the infamous CryptoLocker ransomware but the malware has evolved since then, and that's where it really gets disturbing for the average computer user.
It even survived a takedown operation against its command and control servers back in June 2014.
Security researchers at Proofpoint warn that a new variant of CryptoWall recently spread through malicious banner ads. Surfers ran a risk of being faced with ransomware purely by visiting one of the impacted sites, which included various properties in the Yahoo, Match.com, and AOL domains, among others.
"The sites themselves were not compromised but the advertising networks upon which they relied for dynamic content were inadvertently serving malware which in turn, was not due to an explicit compromise of the networks. Rather, it was due to the networks accepting ads from a malicious source without screening detection," Proofpoint explained in a lengthy blog post.
The malicious code contained in the ads used browser security vulnerabilities and the likes to push a new variant of CryptoWall onto the PCs of surfers visiting the affected sites.
The malvertising campaign itself ran from September 17 until at least October 19, when Proofpoint stopped recording new detections.
"Although we have notified the impacted parties and halted this 'malvertising' campaign, the attackers may be spreading CryptoWall 2.0 via other means," Proofpoint warns.
Based on the flows of ransom payments to Bitcoin addresses, Proofpoint estimates that the attackers made $25,000 per day, or anything up to $750,000 through the latest campaign.
The crooks behind CryptoWall have used the tactic of distributing their malware through tainted ads before, as recently as August of this year.
CryptoWall was previously spread via malicious email attachments and download links sent through the Cutwail spam botnet.
"CryptoWall 2.0 added TOR support and therefore made it much more difficult to trace back to the attacker's command and control servers," explained Wayne Huang, lead researcher at Proofpoint.
"With CryptoWall 2.0, the attackers are also heavily using obfuscation and anti-sandboxing techniques. This campaign saw at least two very different obfuscator + anti-sandboxer in use, although the naked payloads are exactly the same," he added.
Source: Dell SecureWorks.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!