A new report by Imperva titled “The Secret Behind Cryptowall’s Success” took apart the code used in Cryptowall, showing how it works and why it has been so successful. As the authors stated, by understanding the malware’s mechanics, users can be better prepared to defend against it and other ransomware attacks.

The analysts looked at version three of the malware. This is perhaps the most popular in circulation, although there is a fourth version that includes more insidious features.

The Secrets Behind the Malware

The malware is one of numerous ransomware products that starts with a phishing email, in many cases containing an infected PDF file.

“Cryptowall uses hidden Tor services as its command-and-control servers. It uses gateways to Tor since hidden Tor services are not readily accessible through standard browsers,” the report stated. Once deposited, it will hold your hard drive data hostage until you make a specified payment to the attackers.

Each victim has a link to a unique ransom page, and the attackers seemingly set different ransom values depending on the victim’s location. For example, the ransom amount for the U.S. is $700, whereas for Israel, Russia and Mexico, it’s only $500.

“The malware authors clearly know average incomes and change ransom demands based on geolocation to keep the payments affordable,” the authors said. But this is one of the secrets of Cryptowall: The attackers understand marketing and global economics.

The second secret is that they also understand human nature. If the victim doesn’t pay, the ransom doubles.

Building for Success

Another reason why Cryptowall has worked so well is because of its construction. The malware is designed to obscure the identity of its attackers through various cloud-based proxies. On top of this, the beneficiaries receive payment in bitcoin, further masking their identities.

But bitcoin does have one aspect that can be analyzed: While the identities are masked, the transactions are transparent. The researchers “were able to gather quite a lot of information through a bitcoin address provided within the ransom instructions.” They then “followed the bitcoin transactions passing through the attacker’s wallet and finally disclosed an extensive infrastructure of bitcoin wallets where the operators are profiting” from distributing their malware.

Once payment is made, it arrives in one of numerous front-end bitcoin wallets. From there, the funds are transferred to other addresses in the Cryptowall payment network until they are eventually cashed out by the attackers.

Indeed, the analysts were able to calculate these profits, and the value might surprise you. Just three samples of malware they collected generated more than $300,000 in ransom payments from more than 600 targets over a few weeks. Analysts claimed this is just the tip of the Cryptowall iceberg and the actual amount collected is probably much higher.

Battling Cryptowall

Given the lure of this lucre, what can an enterprise IT manager do? Imperva offered several recommendations.

First, monitor for the file names that Cryptowall uses, such as HELP_DECRYPT. Look for temporary files being created and deleted frequently from a certain computer. Security professionals should also make regular backups that are kept on a separate and protected network.

Finally, educate your users about phishing attacks in general. While the attackers are getting better at exploiting human foibles — such as sending phony resumes in phishing emails — more end user education could help identify malicious communications.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…