CryptoWall attacks increase in sophistication and number

Jul 2, 2015 15:27 GMT  ·  By

CryptoWall dominance among ransomware with file encryption capabilities continues as new email campaigns are flung against users, some of them recording thousands of infections per day.

In a fresh drive-by download campaign spotted by researchers at Heimdal Security, the delivery mechanism for the crypto-malware involves RIG exploit kit, tens of compromised websites, and Google’s cloud storage service.

Both companies and individuals are targeted by CryptoWall

Morten Kjaersgaard, Heimdal’s CEO, says that the number and scale of attacks with file-encrypting ransomware have grown to an alarming rate in the past months.

CryptoWall, which officially caused losses of $18 / €16 million in about a year, is the worst of them, being distributed through multiple exploit kits, Angler, Magnitude and RIG being the most notorious.

“Attacks are increasingly sophisticated and the periods between campaigns are shorter every time. To top that off, the numbers of infections in both companies and among individual users is increasing,” Kjaersgaard said.

In the current campaign, users with outdated versions of Flash Player, Java, Adobe Reader and Internet Explorer are likely to become victims because RIG leverages exploits for vulnerabilities in these programs.

After the user lands on a compromised website, a series of redirections follow until the final payload, CryptoWall, is delivered.

Cybercriminal also deploy targeted attacks

In a blog post on Wednesday, the security company explains that over 80 active domains host RIG, which drops the exploit that redirects to downloading a file stored in Google Drive.

The file is a malware dropper disguised as PDF claiming to be a resume. Launching it results in infecting the system with CryptoWall, which is stored on a compromised website. The dropper executes the malware and the file encryption routine starts.

The next thing the victim sees when the file lockdown completes is the ransom message for retrieving the data.

Heimdal Security could not provide information about the number of users affected or the countries they were from, but said that as many as 10,000 infections per day were seen.

However, when all the information on the attacks is collected, the number would be much higher, the researchers said. The attacks observed by the company are both “spray and pray” and targeted.