Over 625 000 Computer Systems & 5.25 Billion Files Hostages Thanks to CryptoWall
In the past six months, the users of more than 625 000 computers were attacked by the biggest and most destructive ransomware threat on Internet – CryptoWall. Spreading since November 2013, the threat remained in the shadow of another ransomware program – CryptoLocker. According to the estimations made by the malware researchers, the creators of this file-encrypting ransomware program have already earned more than US$1 million.
The Nature of CryptoWall Ransomware
CryptoWall is a trojan horse ransomware with aggressive distribution through spam emails with malicious attachments or links, download from infected sites and installations by other malware programs already running on the user’s PC. The command and control servers of CryptoWall give an identity number to every infection and generate RSA public and private key for each one. The public key is sent to the infected computers and is used by CryptoWall to encrypt files with popular extensions. These might be documents, movies, images, etc. usually stored on local hard drives, mapped network shares and cloud storage services.
The researches confirm that the files encrypted with an RSA public key can be decrypted only with the corresponding private key, which is kept by the cyber criminals and is provided only after the ransom has been paid.
The encryption of Cryptowall cannot be reversed without the key. So if the files get locked, the user has to pay up, or will lose the files.
According to the malware researchers, CryptoWall infected numerous computers in the United States, followed by computers in Vietnam, UK, Canada and India, Australia, France, Germany and Turkey. The ransom asked for is in Bitcoin crypto currency, however the earlier options included pre-paid cards like Paysafecard, MoneyPak, cashU, and Ukash.
In case the victim does not pay the ransom, the sum increases with the time. The payments range between 200 USD to 10 000 USD.
The malware specialists have found similarities between the CryptoWall samples and those of Tobfy – an older ransomware family. If the malware is from the same cyber criminals, this means that they have long experience in ransomware operations.
CryptoWall: How to Reduce the Risk of Infection
The users should follow these steps to in order to reduce the risk of infection from CryptoWall.
- Performing system updates to fix vulnerabilities
- Protect the file sharing
- Disable the autorun
- Follow best practices for instant messaging, browsing and email