A new report by Imperva titled “The Secret Behind Cryptowall’s Success” took apart the code used in Cryptowall, showing how it works and why it has been so successful. As the authors stated, by understanding the malware’s mechanics, users can be better prepared to defend against it and other ransomware attacks.
The analysts looked at version three of the malware. This is perhaps the most popular in circulation, although there is a fourth version that includes more insidious features.
The Secrets Behind the Malware
The malware is one of numerous ransomware products that starts with a phishing email, in many cases containing an infected PDF file.
“Cryptowall uses hidden Tor services as its command-and-control servers. It uses gateways to Tor since hidden Tor services are not readily accessible through standard browsers,” the report stated. Once deposited, it will hold your hard drive data hostage until you make a specified payment to the attackers.
Each victim has a link to a unique ransom page, and the attackers seemingly set different ransom values depending on the victim’s location. For example, the ransom amount for the U.S. is $700, whereas for Israel, Russia and Mexico, it’s only $500.
“The malware authors clearly know average incomes and change ransom demands based on geolocation to keep the payments affordable,” the authors said. But this is one of the secrets of Cryptowall: The attackers understand marketing and global economics.
The second secret is that they also understand human nature. If the victim doesn’t pay, the ransom doubles.
Building for Success
Another reason why Cryptowall has worked so well is because of its construction. The malware is designed to obscure the identity of its attackers through various cloud-based proxies. On top of this, the beneficiaries receive payment in bitcoin, further masking their identities.
But bitcoin does have one aspect that can be analyzed: While the identities are masked, the transactions are transparent. The researchers “were able to gather quite a lot of information through a bitcoin address provided within the ransom instructions.” They then “followed the bitcoin transactions passing through the attacker’s wallet and finally disclosed an extensive infrastructure of bitcoin wallets where the operators are profiting” from distributing their malware.
Once payment is made, it arrives in one of numerous front-end bitcoin wallets. From there, the funds are transferred to other addresses in the Cryptowall payment network until they are eventually cashed out by the attackers.
Indeed, the analysts were able to calculate these profits, and the value might surprise you. Just three samples of malware they collected generated more than $300,000 in ransom payments from more than 600 targets over a few weeks. Analysts claimed this is just the tip of the Cryptowall iceberg and the actual amount collected is probably much higher.
Given the lure of this lucre, what can an enterprise IT manager do? Imperva offered several recommendations.
First, monitor for the file names that Cryptowall uses, such as HELP_DECRYPT. Look for temporary files being created and deleted frequently from a certain computer. Security professionals should also make regular backups that are kept on a separate and protected network.
Finally, educate your users about phishing attacks in general. While the attackers are getting better at exploiting human foibles — such as sending phony resumes in phishing emails — more end user education could help identify malicious communications.