Cryptowall ransomware is minting millions in bitcoin for its developer
Who says crime never pays, cryptowall is paying fantastic returns for its developers. According to a report by Cyber Threat Alliance, the CryptoWall ransomware campaign has generated more than $325 million in ransom income for the malware developers.
The report was published earlier this week by the Cyber Threat Alliance, founded by Intel Security, Symantec, Palo Alto Networks and Fortinet. The report states that Cryptowall has till now affected $325m worth of ransomware victim payments and made more than 400,000 attempts to infect computers with the third variant of CryptoWall (CW3), many of which appear to have focused on targets in North America.
The report states that the ransomware originates from a single entity, evidence of which is available in both the code as well as the web of bitcoin payments trackable on the public blockchain. The report notes that Armenia, Belarus, Iran, Kazakhstan, Russia, Serbia and Ukraine are blacklisted, meaning the malware won’t operate in those regions and suggesting possible points of origin.
The report’s authors add that an analysis of bitcoin transactions tied to known ransom campaigns points to the common use of bitcoin wallets across those campaigns, stating:
“As a result of examining this financial network, it was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity.”
The report states that the ransomware makers are quite flexible in their ransom bitcoin demands. The known ransom demand range from the hundreds to thousands of dollars, according to the report – are then washed through multiple addresses and known bitcoin services, though none are named directly in the report. Some of the funds are essentially reinvested in new exploit kits or rent payments for botnets.
Revenue-wise, the report’s authors note that, for its backers, CryptoWall “is extremely successful and continues to provide significant income”.
“One variant alone involved with the ‘crypt100’ campaign identifier resulted in over 15,000 victims across the globe,” the report states. “These 15,000 victims alone would account for, at minimum, roughly $5m in profit for the CW3 group.”
Read the full report below: