Ransomware: an Insight to Financial Gain

By on Oct 29, 2015

This week, joint research on the CryptoWall Version 3 family was released by the Cyber Threat Alliance. In Lucrative Ransomware Attacks: Analysis of the CryptoWall Version 3 Threat, McAfee along with the other member of the CTA, researched the elements in the CryptoWall lifecycle, represented in the following graphic:

CW3 lifecycle

Source: Cyber Threat Alliance, Lucrative Ransomware Attacks: Analysis of the CryptoWall Version 3 Threat.

In this blog, we want to focus on the financial infrastructure behind the campaigns that were distributing the CryptoWall ransomware.

During our investigation, we researched thousands of samples. Some were taken apart manually for in-depth analysis. Others were automatically replicated. Based on the output, we gathered all this information into one big set of data. The data was then correlated and analyzed to understand the shared infrastructure, including the Bitcoin wallets used to collect ransom payments.

A correlation example follows. This illustrates the first step in a Bitcoin transaction.

CW3 bitcoin path

We identified the first wallets used in all the studied CryptoWall campaigns and then followed the money to other Bitcoin wallets. After victims make ransom payments, these payments are quickly transferred to different Bitcoin wallets, and from those Bitcoin wallets to others. Sometimes these transfers occur multiple times per day.

During our investigation, we looked into thousands of transactions. Eventually, we hit a “master wallet.” This wallet contains a huge amount of Bitcoins funneled from thousands of transactions.

Although CryptoWall campaigns began in February 2015, the master wallet was established in April 2014.  We don’t know the source of transactions prior to February, but we did analyze those that occurred after CryptoWall became active in February. We calculated the value of all transactions using an average dollar value of the Bitcoins, resulting in an estimated $325 million in ransom payments due to CryptoWall during the two-month period of our study.

In the report, we also discussed the Angler exploit kit as part of the delivery mechanism for this ransomware family. In October 2015, threat researchers from Cisco’s Talos group released a report detailing how they disrupted the group behind Angler. In that report, the Talos group reported annual revenue of $60 million from ransomware. After verifying with the Talos team, they mentioned that in a certain month, all of Angler’s proxy servers except one were serving the CryptoWall ransomware. In order to have access to the Angler exploit kit, the CryptoWall attackers had to pay a certain amount of money. With the ransom payments generated by CryptoWall, the attackers could easily afford the cost of Angler.

The revenue generated by CryptoWall and similar ransomware campaigns will attract more cybercriminals to participate in similar ransomware campaigns, participate in affiliate programs, or start developing new services as “ransomware-as-a-service.” Given these factors, we predicted a rise in this type of attack. However, the rapid exchange of indicators among security partners, as we have begun to do through the Cyber Threat Alliance, will assist in stopping these threats until technology is developed that can stop ransomware on the endpoint.

About the Author

Christiaan Beek

Christiaan Beek, lead scientist & sr. principal engineer is part of Mcafee’s Office of the CTO leading strategic threat intelligence research within Mcafee. He coordinates and leads passionately the research in advanced attacks, plays a key-role in cyberattack take-down operations and participates in the NoMoreRansom project. In previous roles, Beek was Director of Threat Intelligence ...

Read more posts from Christiaan Beek

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs