The malware authors making up the cyber gang behind the intrusive Cryptowall 3.0 ransomware, a strain of malware, have raked in an estimated $325 million from hundreds of thousands of victims around the world by demanding ransom payments in Bitcoin. The ransomware has been active since January, 2015.
A cybercriminal group that develops and deploys Cryptowall 3.0 may have gathered millions of dollars of ransom in Bitcoin in this past year alone, a comprehensive study points out. Cryptowall version 3.0 the latest variant of a ransomware that is among the most effective tools used by malicious hackers and attackers to monger fear among victims while ensuring that the hapless souls pay up quickly or stand the risk of losing their files on their computer.
The entire report, published by the Cyber Threat Alliance called “Lucrative Ransomware Attacks” can be found here [PDF].
The Cyber Threat Alliance (CTA) is a newly formed collective of cybersecurity firms including Intel Security, Palo Alto Networks, Fortinet and Symantec. In their findings, the CTA discovered that the cybercriminals behind the ransomware are likely to a singular group due to several similarities in the Bitcoin wallets used by the attackers to force victims to make ransom payments.
The report read:
By correlating the campaign identifiers with IP addresses, URLs, and bitcoin wallets, infrastructure relationships are revealed.
Multiple campaigns targeting specific user groups from around the world were tagged with campaign identifiers (IDs).
The authors of the paper confirm that “…a number of primary (Bitcoin) wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same (single) entity.”
Furthermore, certain campaigns turned out to be wildly successful for the cybercriminals who plundered U.S. victims of $18 million within the past year alone.
“When we examined the BTC transaction network stemming from the initial wallets (that of the victim) to what we considered to be final wallets, the financial impact was substantial,” the report added.
Citing the complex flows of the transactions in the blockchain, the search revealed hundreds of BTC addresses that made it difficult for investigators to trace the transactions.
Some interesting notes to take from the report include:
The report also notes that a significant majority of these BTC addresses were discovered to launder money into legal channels and make it clean. Some of the money was also used to support the ransomware-scam infrastructure.
Curiously, Cryptowall 3.0 uninstalls itself upon a region search when it discovers that it may have infected computers from the following countries. They are:
These exceptions give a good hint in guessing where the yet-unknown cybercriminal gang are originating from.
Image from Shutterstock.