This week, joint research on the CryptoWall Version 3 family was released by the Cyber Threat Alliance. In Lucrative Ransomware Attacks: Analysis of the CryptoWall Version 3 Threat, Intel Security along with the other member of the CTA, researched the elements in the CryptoWall lifecycle, represented in the following graphic:
Source: Cyber Threat Alliance, Lucrative Ransomware Attacks: Analysis of the CryptoWall Version 3 Threat.
In this blog, we want to focus on the financial infrastructure behind the campaigns that were distributing the CryptoWall ransomware.
During our investigation, we researched thousands of samples. Some were taken apart manually for in-depth analysis. Others were automatically replicated. Based on the output, we gathered all this information into one big set of data. The data was then correlated and analyzed to understand the shared infrastructure, including the Bitcoin wallets used to collect ransom payments.
A correlation example follows. This illustrates the first step in a Bitcoin transaction.
We identified the first wallets used in all the studied CryptoWall campaigns and then followed the money to other Bitcoin wallets. After victims make ransom payments, these payments are quickly transferred to different Bitcoin wallets, and from those Bitcoin wallets to others. Sometimes these transfers occur multiple times per day.
During our investigation, we looked into thousands of transactions. Eventually, we hit a “master wallet.” This wallet contains a huge amount of Bitcoins funneled from thousands of transactions.
Although CryptoWall campaigns began in February 2015, the master wallet was established in April 2014. We don’t know the source of transactions prior to February, but we did analyze those that occurred after CryptoWall became active in February. We calculated the value of all transactions using an average dollar value of the Bitcoins, resulting in an estimated $325 million in ransom payments due to CryptoWall during the two-month period of our study.
In the report, we also discussed the Angler exploit kit as part of the delivery mechanism for this ransomware family. In October 2015, threat researchers from Cisco’s Talos group released a report detailing how they disrupted the group behind Angler. In that report, the Talos group reported annual revenue of $60 million from ransomware. After verifying with the Talos team, they mentioned that in a certain month, all of Angler’s proxy servers except one were serving the CryptoWall ransomware. In order to have access to the Angler exploit kit, the CryptoWall attackers had to pay a certain amount of money. With the ransom payments generated by CryptoWall, the attackers could easily afford the cost of Angler.
The revenue generated by CryptoWall and similar ransomware campaigns will attract more cybercriminals to participate in similar ransomware campaigns, participate in affiliate programs, or start developing new services as “ransomware-as-a-service.” Given these factors, we predicted a rise in this type of attack. However, the rapid exchange of indicators among security partners, as we have begun to do through the Cyber Threat Alliance, will assist in stopping these threats until technology is developed that can stop ransomware on the endpoint.
For information on how Intel Security detects this threat, see this related post.