The Cyber Threat Alliance (CTA) conducted a study on Cryptowall 3.0 ransomware attacks and found that the attacks...
are very lucrative, although experts said there is an easy way to mitigate the risk.
CTA is an industry group formed last year by members including Intel Security, Palo Alto Networks, Fortinet and Symantec, in order to study emerging cyber threats. In the study of the Cryptowall 3.0 ransomware, CTA found 4,046 malware samples related to the ransomware, 839 command and control URLs, 49 campaign code identifiers, 406,887 attempted infections and an estimated $325 million in damages.
Phishing attacks were found to be the infection vector for about two-thirds of the attacks, with exploit kits being used in most of the remaining attacks. While the overall damages were quite high, individual ransoms ranged from a few hundred dollars to over one thousand dollars.
Interestingly, while there were 49 different campaign code IDs found, CTA said the attack campaigns may have originated from a single source.
"As a result of examining this financial network, it was discovered that a number of primary [bitcoin] wallets were shared between campaigns," CTA wrote, "further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity."
Joseph Bonavolonta, assistant special agent in charge of the cyber and counterintelligence program in the FBI's Boston office, recently said that because the encryption used by Cryptowall is so good, the FBI "often advise[s] people just to pay the ransom."
Kevin Haley, a director for Symantec Security Response, said that Symantec strongly recommends against paying, but admits that not paying could cause "irreparable damage."
"Cryptowall is one of the most lucrative pieces of ransomware currently in existence. Once on a machine, it encrypts the victim's files and subsequently demands payment in return for a key to decrypt them," Haley said. "As with other types of ransomware, Cyrptowall targets sensitive files on the machine, including financial records, business information, databases and personal/sentimental content like photos and tax documents."
Experts agree that while paying the ransom may incentivize attackers to continue using these tactics, victims of ransomware attacks may have no other choice but to pay the ransom to get back important information. Experts said contacting law enforcement may provide a small chance of recovering data if law enforcement can obtain the encryption key from the criminal command and control server.
However, there are proactive steps that can be taken to avoid any trouble in the first place.
Perry Dickau, director of product management at DataGravity Inc., said the main way to limit risk from ransomware starts with education.
"Crypto-style viruses are often triggered through phishing emails, and it's incumbent upon an organization to invest in the training of their employees to help them better recognize the signature of a nefarious communication of this type," Dickau said. "The more aware employees can be of the threat they face, and what it looks like, the more likely they will be to avoid the pitfall in the first place."
Some experts noted that Windows System Restore could protect the user from their loss, by taking snapshots of the system and restoring previous versions or a backup, but others noted that ransomware has been known to destroy those snapshots, making this an imperfect solution.
Adam Kujawa, head of malware intelligence at Malwarebytes Labs, said beyond education, creating regular backups is the key to mitigating ransomware risks.
"This particular type of malware has rallied the call for users to utilize offline or cloud backups," Kujawa said. "If a user was to employ encrypted, cloud-based storage to keep their personal information, or use something like a USB drive to backup their files once a day or a week, then the damage that Cryptowall and similar malware types could cause is very limited."
Learn how click fraud can be an entry to ransomware
Learn how to analyze threats in the malware lifecycle