The malware authors making up the cyber gang behind the intrusive Cryptowall 3.0 ransomware, a strain of malware, have raked in an estimated $325 million from hundreds of thousands of victims around the world by demanding ransom payments in Bitcoin. The ransomware has been active since January, 2015.
A cybercriminal group that develops and deploys Cryptowall 3.0 may have gathered millions of dollars of ransom in Bitcoin in this past year alone, a comprehensive study points out. Cryptowall version 3.0 the latest variant of a ransomware that is among the most effective tools used by malicious hackers and attackers to monger fear among victims while ensuring that the hapless souls pay up quickly or stand the risk of losing their files on their computer.
The entire report, published by the Cyber Threat Alliance called “Lucrative Ransomware Attacks” can be found here [PDF].
The Cyber Threat Alliance (CTA) is a newly formed collective of cybersecurity firms including Intel Security, Palo Alto Networks, Fortinet and Symantec. In their findings, the CTA discovered that the cybercriminals behind the ransomware are likely to a singular group due to several similarities in the Bitcoin wallets used by the attackers to force victims to make ransom payments.
The report read:
By correlating the campaign identifiers with IP addresses, URLs, and bitcoin wallets, infrastructure relationships are revealed.
Multiple campaigns targeting specific user groups from around the world were tagged with campaign identifiers (IDs).
The authors of the paper confirm that “…a number of primary (Bitcoin) wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same (single) entity.”
Furthermore, certain campaigns turned out to be wildly successful for the cybercriminals who plundered U.S. victims of $18 million within the past year alone.
“When we examined the BTC transaction network stemming from the initial wallets (that of the victim) to what we considered to be final wallets, the financial impact was substantial,” the report added.
Citing the complex flows of the transactions in the blockchain, the search revealed hundreds of BTC addresses that made it difficult for investigators to trace the transactions.
Some interesting notes to take from the report include:
- BTC taken from victims was taken in by a large network of bitcoin wallets.
- Initial wallets were set up on the TOR network and advertised through ransom pay sites hosted on the network.
- The ransom pay websites were activated when a victim was caught. Upon discovery by law enforcement, the wallet would be replaced by another wallet rotated in and embedded onto websites that direct victims to pay up.
- When a ransom demand turns up, the developers would transfer the funds out of the initial wallet to break it into a 70/30 split between several second, third, fourth and fifth layers of bitcoin wallets before eventually funneling the amount to the final wallet.
The report also notes that a significant majority of these BTC addresses were discovered to launder money into legal channels and make it clean. Some of the money was also used to support the ransomware-scam infrastructure.
Curiously, Cryptowall 3.0 uninstalls itself upon a region search when it discovers that it may have infected computers from the following countries. They are:
These exceptions give a good hint in guessing where the yet-unknown cybercriminal gang are originating from.
Image from Shutterstock.