Connect with us

Hi, what are you looking for?



Group Behind CryptoWall 3.0 Made $325 Million: Report

Researchers representing security companies that are part of the Cyber Threat Alliance have conducted an in-depth investigation into the cybercriminal operations leveraging CryptoWall 3.0 ransomware.

Researchers representing security companies that are part of the Cyber Threat Alliance have conducted an in-depth investigation into the cybercriminal operations leveraging CryptoWall 3.0 ransomware.

CryptoWall 3.0, which first emerged in January 2015, is designed to encrypt important files on infected computers and hold them for ransom until victims agree to pay a certain amount of money in Bitcoin, usually ranging between a few hundred dollars and more than a thousand dollars.

Experts from Intel Security, Fortinet, Symantec, Palo Alto Networks and other companies in the Cyber Threat Alliance discovered during their investigation a total of more than 4,000 malware samples, 839 command and control (C&C) URLs, five second-tier C&C IP addresses, and over 400,000 infection attempts across 49 CryptoWall 3.0 campaigns.

Experts estimate that the group behind these attacks caused $325 million in damages after infecting hundreds of thousands of computers across the world. The region most affected by these attacks was North America, particularly the United States.

The damage estimate is based on the analysis of the financial infrastructure behind CryptoWall 3.0. According to researchers, the attackers used hundreds of Bitcoin addresses, including ones where victims had been instructed to deposit the ransom and “primary wallets” where the cybercrooks gathered their profit.

“A majority of these BTC addresses are used to launder the money into legal channels or to pay for services related to the campaigns, such as exploit kits and/or botnets used to send spam email,” experts said in their report.

Since a number of primary wallets were shared between different CryptoWall 3.0 campaigns, researchers believe that all of the identified campaigns are operated by the same entity.

Advertisement. Scroll to continue reading.

Researchers discovered that the cybercriminals did not transfer the Bitcoins from the initial wallets to the final wallets directly. Instead, they broke up the transactions among multiple wallets distributed across several layers designed to protect the primary wallet.

“Many of the final wallets that were shared among multiple campaigns held a significant amount of unspent money. These wallets have received millions of bitcoins valued at hundreds of thousands of dollars (USD). This money was sent in small amounts through a vast complicated network of wallets,” experts said.

The extra layers make it difficult to identify the primary wallets, but it can be done if enough effort is put into it, researchers noted. In one of the campaigns, investigators identified more than 15,000 victims infected with a single CryptoWall variant. They estimate that the group behind CryptoWall 3.0 made at least $5 million from these users.

While experts haven’t found a way to decrypt files encrypted by CryptoWall 3.0, not all ransomware is as efficient when it comes to holding files for ransom. Kaspersky announced this week that it has obtained all the decryption keys, roughly 14,000, needed to recover files encrypted by CoinVault and Bitcryptor ransomware.

Kaspersky’s initiative was launched in April in collaboration with law enforcement authorities in the Netherlands. Victims of CoinVault and Bitcryptor are provided a free tool that they can use to decrypt their files.

The announcement that all CoinVault encryption keys have been obtained comes after last month Dutch police reported arresting two individuals suspected of using this piece of ransomware to infect computers around the world.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...