CryptoWall ransom Trojan has infected 625,000 systems, says Dell SecureWorks

Holds hostage a staggering 5.25 billion files

Is ransom malware business on the wane at last? New figures from Dell SecureWorks suggest that the current market leader, CryptoWall, hasn't been as profitable as the infamous CryptoLocker despite infecting more PCs and holding hostage a staggering 5.25 billion files.

In December 2013 it was Dell SecureWorks that provided some of the most widely-quoted figures on the success of CryptoWall's infamous CryptoLocker, which had gone on a bit of a shock and awe rampage after first appearing in September of that year.

By then it had infected at least 250,000 systems in its first 100 days out of an eventual total somewhere north of half a million at the point its distribution network was finally blitzed by Operation Tovar in May. Exactly how many victims eventually paid up is unknown but Dell's original estimate was around 0.4 per cent, which probably waned a little as defenders adjusted to the threat.

The firm now believes that CryptoLocker probably made around $US3 million in ransoms, roughly three times the sums made by CryptoWall, which is estimates at $US1.1 million - that is despite CryptoWall infecting at least 625,000 systems since its debut in March 2014 and 24 August.

"CryptoWall's higher average ransom amounts and the technical barriers typical consumers encounter when attempting to obtain bitcoins has likely contributed to this malware family's more modest success," said Dell SecureWorks' researcher Keith Jarvis, reaching for an explanation.

"Additionally, it is likely the CryptoWall operators do not have a sophisticated 'cash out' and laundering operation like the Gameover Zeus crew [which distributed CryptoLocker] and cannot process pre-paid cards in such high volumes."

Nevertheless, CryptoWall had still managed to encrypt a staggering 5.25 billion files, the firm said.

This will have been misery for the 1683 victims Dell SecureWorks detected, most of which paid around the $US500 mark in the folorn hope of receiving an unlock key. The ransoms also increased for some victims - 399 paid $US1000 with a single one coughing up an astonishing $US10,000.

It'a also not clear whether Dell SecureWorks has found every payment server - a few weeks back, security firm PhishMe traced Bitcoin wallets containing more than $US700,000-worth of currency.

It's worth remembering that although less successful than CryptLocker, since appearing in CryptoWall (also known as CryptoDefense) has managed to infect PCs in every country on earth.

The distribution has not been even, however. Of the infections detected by Dell SecureWorks, the US represented 40.6 per cent (253,521), Vietnam 10.7 per cent (66,590), the UK 40,258 (6.4 per cent), Canada 5.2 per cent (32,579), India with 5.2 per cent (22,582), and Australia 3.1 per cent (19,562).

The conclusion of all this is that ransom malware is probably a business that is slowly eating itself. It still infects plenty of systems but fewer victims are paying up. This is probably a combination of victims not believing that payment will make any difference (decryption keys are often not sent anyway), people defending themselves with backups and the difficulty some have in knowing how to acquire Bitcoins.

But before digesting that apparently good news, it's worth also considering the incredible effort that was required to disrupt CryptoWall's iconic predecessor, CryptoLocker. That took numerous agencies and security firms and months of work by which time its victims were at least $US3 million lighter.

In the UK, Dell SecureWorks' number reveal that CryptoWall has infected at least 40,000 systems, the majority of whose owners won't have reported this to UK police. This repeats the dismal pattern of CryptoLocker, a threat that was ignored for the longest time. In this game of cops and robbers the cops aren't just behind the robbers' getaway car but miles away in bed.

Join the CSO newsletter!

Error: Please check your email address.

Tags DellPersonal TechDell SecureWorkssecurity

More about DellSecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place