Researchers representing security companies that are part of the Cyber Threat Alliance have conducted an in-depth investigation into the cybercriminal operations leveraging CryptoWall 3.0 ransomware.
CryptoWall 3.0, which first emerged in January 2015, is designed to encrypt important files on infected computers and hold them for ransom until victims agree to pay a certain amount of money in Bitcoin, usually ranging between a few hundred dollars and more than a thousand dollars.
Experts from Intel Security, Fortinet, Symantec, Palo Alto Networks and other companies in the Cyber Threat Alliance discovered during their investigation a total of more than 4,000 malware samples, 839 command and control (C&C) URLs, five second-tier C&C IP addresses, and over 400,000 infection attempts across 49 CryptoWall 3.0 campaigns.
Experts estimate that the group behind these attacks caused $325 million in damages after infecting hundreds of thousands of computers across the world. The region most affected by these attacks was North America, particularly the United States.
The damage estimate is based on the analysis of the financial infrastructure behind CryptoWall 3.0. According to researchers, the attackers used hundreds of Bitcoin addresses, including ones where victims had been instructed to deposit the ransom and “primary wallets” where the cybercrooks gathered their profit.
“A majority of these BTC addresses are used to launder the money into legal channels or to pay for services related to the campaigns, such as exploit kits and/or botnets used to send spam email,” experts said in their report.
Since a number of primary wallets were shared between different CryptoWall 3.0 campaigns, researchers believe that all of the identified campaigns are operated by the same entity.
Researchers discovered that the cybercriminals did not transfer the Bitcoins from the initial wallets to the final wallets directly. Instead, they broke up the transactions among multiple wallets distributed across several layers designed to protect the primary wallet.
“Many of the final wallets that were shared among multiple campaigns held a significant amount of unspent money. These wallets have received millions of bitcoins valued at hundreds of thousands of dollars (USD). This money was sent in small amounts through a vast complicated network of wallets,” experts said.
The extra layers make it difficult to identify the primary wallets, but it can be done if enough effort is put into it, researchers noted. In one of the campaigns, investigators identified more than 15,000 victims infected with a single CryptoWall variant. They estimate that the group behind CryptoWall 3.0 made at least $5 million from these users.
While experts haven’t found a way to decrypt files encrypted by CryptoWall 3.0, not all ransomware is as efficient when it comes to holding files for ransom. Kaspersky announced this week that it has obtained all the decryption keys, roughly 14,000, needed to recover files encrypted by CoinVault and Bitcryptor ransomware.
Kaspersky’s initiative was launched in April in collaboration with law enforcement authorities in the Netherlands. Victims of CoinVault and Bitcryptor are provided a free tool that they can use to decrypt their files.
The announcement that all CoinVault encryption keys have been obtained comes after last month Dutch police reported arresting two individuals suspected of using this piece of ransomware to infect computers around the world.
