The Cyber Threat Alliance has issued a new report, suggesting that a group of attackers may be gaining income from the Cryptowall 3.0 malware. According to the study, the criminals have already generated more than $325 million in ransom revenues and realized over 406,000 attempts to infect computers.
Cryptowall 3.0 is a malicious program that poses a huge threat for organizations and consumers. After the computer is infected, the hackers demand people to pay the ransom, which could range from hundreds to thousands of dollars.
“When looking at the number of victims providing payment for the Cryptowall 3.0 ransomware, it becomes clear that this business model is extremely successful and continues to provide significant income for this group,” the Cyber Threat Alliance says.
All victims receive instructions on how to pay in bitcoin and are provided with a different wallet address owned the attackers. The report says the malware is mainly targeted at computers based in North America, while many victims are also located in Australia. The authorities inform that in less than a year the CryptoWall had obtained about $18 million from the victims in the US only.
“A majority of these BTC addresses are used to launder the money into legal channels or to pay for services related to the campaigns, such as exploit kits or botnets used to send spam email.”
Meantime, the program doesn’t operate in such countries as Russia, Belarus, Ukraine, Kazakhstan, Serbia and Iran. The fact that these regions are blacklisted suggests that the ransomware could originate from these countries.
“As a result of examining this financial network, it was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity,” the report reads.
“One variant alone involved with the ‘crypt100’ campaign identifier resulted in over 15,000 victims across the globe. These 15,000 victims alone would account for, at minimum, roughly $5m in profit for the CW3 group,” the report says.
The malware is so professional that most security administrators advise their clients just to pay the criminals. Besides, it’s very hard to trace ransom payments among hundreds of bitcoin addresses.
The Cyber Threat Alliance was established by Fortinet, Symantec, Palo Alto Networks and Intel Security to investigate the potential threats and share their knowledge on advanced attacks. The company is aimed at spreading threat intelligence in order to improve protection of their customers and organizations.