Why CryptoWall ransomware will remain a shadow of CryptoLocker

The CryptoWall ransomware that filled the void left by the takedown of its CryptoLocker cousin is less effective and lacks the sophistication for wringing more money from victims.

CryptoWall's shortcomings include less virulent technology and no payment options beyond Bitcoins, a cryptocurrency that many people would not know how to use in paying to have malware-encrypted files unscrambled, according to Keith Jarvis, a senior researcher for the Dell SecureWorks Counter Threat Unit, which performed an extensive analysis on CryptoWall.

[CryptoWall held over half a million computers hostage, encrypted 5 billion files]

"It made no advancements on what we saw with CryptoLocker," Jarvis said Wednesday.

Despite the lack of innovation, the criminals behind CryptoWall managed to compromise 625,000 computers in the last six months, surpassing the roughly half million infected with CryptoLocker.

However, its lack of less complicated payment options has led to a much smaller take, roughly $1.1 million versus about $3 million for CryptoLocker.

The latter ransomware faded quickly in May after a multi-national law enforcement operation took down the 2-year-old Gameover Zeus botnet, which was also the exclusive distributor of CryptoLocker.

The botnet of between half million and 1 million compromised computers distributed the Gameover Zeus malware used to steal online banking credentials. The CryptoLocker criminals rode piggyback on the botnet.

CryptoWall infection spiked immediately after CryptoLocker was knocked out.

The boost was due to CryptoWall operators tapping a variety of distribution tactics, including the Cutwail botnet that sends spam with malicious links or attachments, drive-by-download attacks from sites infected with exploit kits and other malware programs that installed the ransomware on compromised computers.

Beyond distribution methods, Jarvis says there are a number of other differences between the ransomwares, which encrypt files on a victim's computer and won't decrypt them until money is paid:

-- CrptoWall encrypts files more important to consumers, such as audio and video files. CrytoLocker was more focused on document files.

-- CryptoLocker was more sophisticated in that it used public key encryption to authenticate the infected system with the command-and-control server.

--CryptoWall used 2048-bit RSA keys, which is not meant for encrypting large files. CryptoLocker would encrypt using an Advanced Encryption Standard (AES) algorithm, which is much faster and made for bulk data.

The CryptoWall criminals went with a simpler encryption most likely because it was easier to implement and harder to mess up. "It also could be they didn't really understand encryption at a fundamental level," Jarvis said.

-- The payment infrastructure behind CryptoLocker was also more complex. Besides Bitcoins, victims could pay using Green Dot MoneyPaks, which are prepaid payment cards sold at more than 60,000 retail stores in the U.S. Once the victim gave the criminals the number on the card to obtain payments, someone had to physically go to a store on the MoneyPak network to retrieve the cash.

The majority of CrytoLocker victims paid through MoneyPaks.

The organization that was behind CryptoLocker was separate from that running CryptoWall, Jarvis said. Both groups launched operations in 2013 and operated in parallel.

"The guys behind CryptoWall are notorious for ripping off other people's ideas," Jarvis said.

Other than the spike in May, the CryptoWall operation is unlikely to benefit much from CryptoLocker's demise. CryptoWall's shortcomings are likely to prevent it from eclipsing the other, more lucrative scam.

[Magnitude exploit kit changes tack to make money from CryptoWall ransomware]

In general, ransomware takes in much less money than malware that steals data from corporations and government agencies and personal data from consumers, such as user names and passwords to online banking and other websites.

Dell SecureWorks has seen a trend in which distributors of ransomware are also infecting systems with data-stealing malware through partnerships with other organizations.

"Ransomware isn't that lucrative, so they need to branch out," Jarvis said.

Join the CSO newsletter!

Error: Please check your email address.

Tags malware merchantsDell SecureWorksapplicationssecurityCryptolockersoftwareCryptoWallransomwaredata protectionmalwareDell

More about AdvancedAdvanced Encryption StandardDellRSASecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts