CryptoWall ransomware undressed in new report

An infamous piece of ransomware, CryptoWall, has been cracked, according to industry sources.

Ransom note
Ransom note

The Cyber-Threat Alliance, a group of cyber-security practitioners, announced in a new report, released yesterday, that says it has cracked the CryptoWall Ransomware. In this report the Alliance shows how the CryptoWall works and separated so many unwitting victims from their cash.

CryptoWall, discovered in June last year, is a trojan-based piece of malware. It encrypts files on an infected computer then charges the victim to have that information unencrypted, essentially holding the user's data to ransom. It typically infects the computers mostly via phishing emails, loaded with the malicious software or downloaded to the victim's computer via sites compromised with exploit kits.

SCmagazineUK.com spoke to Greg Day, the EMEA CSO for Palo Alto Networks, one of the founding members of The Alliance. CryptoWall was its first target says Day, not only because of the scale of its effect but it's sophistication. "People don't see ransomware as too sophisticated, they think it's just a bit of encryption with a strong password,” but, says Day, “when you start to look at it” it's pretty complex."  

The attackers had to compromise hundreds of sites and use a “vulnerability kit that allows you to inject ransomware right into memory without having to write anything to disc that would avoid anti-virus controls.” The ransomware also comes with Random Code injection that ensures that every time it compromises a system, it looks different.  

The crimeware, which is thought to be responsible for more than 400,000 infection attempts and has accrued thousands of victims during its life span has also earnt the attackers more than £200 million. It got all that cash through a complex series of Bitcoin exchanges. The attackers would typically ask for payment through Bitcoin (currently valued at over £200), and then up the price if the victim was late on their payment. The victim would be given a Bitcoin wallet in which to pay their ransom, which would then be transferred by the attackers who would then filter those funds in ever smaller amounts through hundreds of other Bitcoin wallets with only a few of the same wallets being used on more than one CryptoWall campaign. The report states, “a majority of these Bitcoin addresses are used to launder the money into legal channels or to pay for services related to the campaigns, such as exploit kits and/or botnets used to send spam email.” This method made it all the harder for financial investigator to trace the money trails and find the CryptoWall users.

The Alliance, which has gathered together some of the top cyber-security practitioners and companies, aims to disseminate information among the industry in order to better fight cyber-threats. The Alliance got together after a thought occurred to Mark Mcloughlin, the CEO of Palo Alto Networks, that they should be able to out-cpu and out-horsepower attackers, but that could only be done with collaboration He promptly got together with other companies of similar mind and The Alliance was born.

The Alliance includes such security luminaries as Fortinet, Intel Security, Palo Alto Networks and Symantec. The release of this report is a momentous occasion for The Alliance as this is the first report that uses combined threat research and intelligence from their founding members.