April 26, 2016 By David Strom 2 min read

A new report by Imperva titled “The Secret Behind Cryptowall’s Success” took apart the code used in Cryptowall, showing how it works and why it has been so successful. As the authors stated, by understanding the malware’s mechanics, users can be better prepared to defend against it and other ransomware attacks.

The analysts looked at version three of the malware. This is perhaps the most popular in circulation, although there is a fourth version that includes more insidious features.

The Secrets Behind the Malware

The malware is one of numerous ransomware products that starts with a phishing email, in many cases containing an infected PDF file.

“Cryptowall uses hidden Tor services as its command-and-control servers. It uses gateways to Tor since hidden Tor services are not readily accessible through standard browsers,” the report stated. Once deposited, it will hold your hard drive data hostage until you make a specified payment to the attackers.

Each victim has a link to a unique ransom page, and the attackers seemingly set different ransom values depending on the victim’s location. For example, the ransom amount for the U.S. is $700, whereas for Israel, Russia and Mexico, it’s only $500.

“The malware authors clearly know average incomes and change ransom demands based on geolocation to keep the payments affordable,” the authors said. But this is one of the secrets of Cryptowall: The attackers understand marketing and global economics.

The second secret is that they also understand human nature. If the victim doesn’t pay, the ransom doubles.

Building for Success

Another reason why Cryptowall has worked so well is because of its construction. The malware is designed to obscure the identity of its attackers through various cloud-based proxies. On top of this, the beneficiaries receive payment in bitcoin, further masking their identities.

But bitcoin does have one aspect that can be analyzed: While the identities are masked, the transactions are transparent. The researchers “were able to gather quite a lot of information through a bitcoin address provided within the ransom instructions.” They then “followed the bitcoin transactions passing through the attacker’s wallet and finally disclosed an extensive infrastructure of bitcoin wallets where the operators are profiting” from distributing their malware.

Once payment is made, it arrives in one of numerous front-end bitcoin wallets. From there, the funds are transferred to other addresses in the Cryptowall payment network until they are eventually cashed out by the attackers.

Indeed, the analysts were able to calculate these profits, and the value might surprise you. Just three samples of malware they collected generated more than $300,000 in ransom payments from more than 600 targets over a few weeks. Analysts claimed this is just the tip of the Cryptowall iceberg and the actual amount collected is probably much higher.

Battling Cryptowall

Given the lure of this lucre, what can an enterprise IT manager do? Imperva offered several recommendations.

First, monitor for the file names that Cryptowall uses, such as HELP_DECRYPT. Look for temporary files being created and deleted frequently from a certain computer. Security professionals should also make regular backups that are kept on a separate and protected network.

Finally, educate your users about phishing attacks in general. While the attackers are getting better at exploiting human foibles — such as sending phony resumes in phishing emails — more end user education could help identify malicious communications.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today