Victims of the CryptoWall ransomware have been extorted out of at least $1m.
Despite a takedown operation in June, CryptoWall continues to be the largest and most destructive ransomware threat on the internet, according to the latest analysis of the threat by security researchers from Dell SecureWorks Counter Threat Unit.
Cryptowall is a strain of file-encrypting ransomware that encrypts files on infected Windows PCs and attached storage devices with RSA-2048 encryption before demanding a ransom for the private key that recovers the documents.
Dell SecureWorks CTU researchers registered a domain used by the CryptoWall malware as a backup command and control (C2) server in February. This sinkhole allowed them to get a clear insights into the malware’s spread and behaviour that would not otherwise be possible.
CTU said that CryptoWall is “the largest and most destructive ransomware threat on the Internet” at the moment and will likely continue to grow, CryptoWall has spread through various infection vectors since its inception, including classics like browser exploit kits, drive-by downloads and malicious email attachments. Since late March 2014, it has been primarily distributed through malicious attachments and download links sent through the Cutwail spam botnet—the same mechanism that was so successful in spreading GameOver Zeus until it was disrupted in June.
The threat has been spreading since at least November 2013, but until the first quarter of this year it remained mostly overshadowed by CryptoLocker, another ransomware program that infected over half a million systems from September 2013 through May.
