A new report by Imperva titled “The Secret Behind Cryptowall’s Success” took apart the code used in Cryptowall, showing how it works and why it has been so successful. As the authors stated, by understanding the malware’s mechanics, users can be better prepared to defend against it and other ransomware attacks.

The analysts looked at version three of the malware. This is perhaps the most popular in circulation, although there is a fourth version that includes more insidious features.

The Secrets Behind the Malware

The malware is one of numerous ransomware products that starts with a phishing email, in many cases containing an infected PDF file.

“Cryptowall uses hidden Tor services as its command-and-control servers. It uses gateways to Tor since hidden Tor services are not readily accessible through standard browsers,” the report stated. Once deposited, it will hold your hard drive data hostage until you make a specified payment to the attackers.

Each victim has a link to a unique ransom page, and the attackers seemingly set different ransom values depending on the victim’s location. For example, the ransom amount for the U.S. is $700, whereas for Israel, Russia and Mexico, it’s only $500.

“The malware authors clearly know average incomes and change ransom demands based on geolocation to keep the payments affordable,” the authors said. But this is one of the secrets of Cryptowall: The attackers understand marketing and global economics.

The second secret is that they also understand human nature. If the victim doesn’t pay, the ransom doubles.

Building for Success

Another reason why Cryptowall has worked so well is because of its construction. The malware is designed to obscure the identity of its attackers through various cloud-based proxies. On top of this, the beneficiaries receive payment in bitcoin, further masking their identities.

But bitcoin does have one aspect that can be analyzed: While the identities are masked, the transactions are transparent. The researchers “were able to gather quite a lot of information through a bitcoin address provided within the ransom instructions.” They then “followed the bitcoin transactions passing through the attacker’s wallet and finally disclosed an extensive infrastructure of bitcoin wallets where the operators are profiting” from distributing their malware.

Once payment is made, it arrives in one of numerous front-end bitcoin wallets. From there, the funds are transferred to other addresses in the Cryptowall payment network until they are eventually cashed out by the attackers.

Indeed, the analysts were able to calculate these profits, and the value might surprise you. Just three samples of malware they collected generated more than $300,000 in ransom payments from more than 600 targets over a few weeks. Analysts claimed this is just the tip of the Cryptowall iceberg and the actual amount collected is probably much higher.

Battling Cryptowall

Given the lure of this lucre, what can an enterprise IT manager do? Imperva offered several recommendations.

First, monitor for the file names that Cryptowall uses, such as HELP_DECRYPT. Look for temporary files being created and deleted frequently from a certain computer. Security professionals should also make regular backups that are kept on a separate and protected network.

Finally, educate your users about phishing attacks in general. While the attackers are getting better at exploiting human foibles — such as sending phony resumes in phishing emails — more end user education could help identify malicious communications.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…