The Secret Behind CryptoWall’s Success: Key Findings from our Hacker Intelligence Initiative Report

ImpervaCW1

CNET recently named ransomware the “hot hacking trend of 2016.” While we don’t particularly like making something so evil sound so glamorous, we have to agree: ransomware is a serious threat, and it’s here to stay.

While ransomware is growing in prevalence, scope, and scale, it still isn’t widely understood. Are there many criminals behind these ruthless attacks, or a handful of very organized gangs? How does the financial system work, and what can we learn from it? Are enterprises immune from it? With these questions in mind, the Imperva Application Defense Center (ADC) chose to focus on one of the most successful breeds of ransomware – CryptoWall 3.0 – for our recent Hacker Intelligence Initiative Report.

Our approach

We analyzed CryptoWall 3.0 because it is the most widespread and successful ransomware to date. We had also seen it in the wild; our labs received some Spear Phishing emails, disguised as resumes that tried to initiate the attack. We used these samples and more to follow the money, tracking Bitcoin transactions to see where the financials would lead us.

impervacw2

Key findings

  • Ransomware is often disguised as a harmless email attachment. Users initiate the process by clicking on an attached file infused with CryptoWall 3.0 ransomware, which then encrypts your files to hold them hostage. The victim is told to pay the ransom now, or pay even more later.
  • Malware authors use the TOR network and require ransom in Bitcoins to maintain end-to-end anonymity. Hidden TOR services not available through standard browsers help obscure the delivery of the ransom instructions. When the infected user follows the instructions, he or she is provided a Bitcoin address through which to pay the ransom.
  • Ransomware demands a different fee depending on geography. The malware authors clearly know average incomes, and adjust their ransoms accordingly. U.S. victims were charged $700 USD, while in Israel, Russia, and Mexico, it’s only $500 USD.
  • Attackers use a complex Bitcoin wallet infrastructure to receive anonymous payments. We inspected BTC network and analyzed an attacker’s Bitcoin account to learn how the money moved back and forth, and discovered clear trends demonstrating sophisticated, ongoing attacks.impervacw3
  • Payment infrastructure analysis is a powerful tool against ransomware. We investigated only a small sample of ransomware malware, and were able to access significant information with relative ease. Law enforcement must now take these efforts to the next level to fight ransomware attacks.

Hackers that use CryptoWall 3.0 are not amateurs in their parents’ basements. These are organized criminals playing on human psychology to staggeringly large benefit. A detailed understanding of ransomware helps us learn how to protect ourselves – namely, through file monitoring and regular backups – but also gives insight into how these hackers can be defeated.

Read the full report to see how we traced the money, including each step of the Bitcoin process and examples of the phishing emails, and our recommendations for defending yourself against ransomware. Then pass it on to law enforcement – with enough pressure, they will up the ante and protect each of us, and our data, from being held ransom.