14 DAY TRIAL // By analyzing Bitcoin transactions associated with three CryptoWall ransomware samples for a period of three months, Imperva security analysts estimate that one of the groups behind a particular campaign made well over $330,000 from their criminal activity.
Imperva's analysis included only three CryptoWall 3.0 ransomware samples, which they found in spam email delivered to their clients. These emails contained ZIP archives which when decompressed included malicious PDF or HTML files laced with CryptoWall.
Once executed, these files would encrypt the user's data and ask the user to send a ransom payment to one of four Bitcoin addresses.
Mapping out ransomware campaign via Bitcoin transactions
Because CryptoWall 3.0 generates a custom, different ransom note for each user based on the computer's host name, researchers tricked the ransomware samples to show all of their associated Bitcoin addresses by constantly changing the infected computer's hostname.
This allowed Imperva to create a map of Bitcoin addresses where victims were sending ransoms, information which they used to estimate how much funds the group had received from their exploits.
All the group's Bitcoin accounts were full of various transactions as criminals moved money around. Because the ransomware was asking between $500 and $700 as ransom from each user, researchers were able to tell which of the incoming Bitcoin transactions were actual ransom payments (between 2.83 and 3.11 Bitcoin).
670 victims paid ransoms for a total of $337,607
Using this method to analyze transactions associated with 140 Bitcoin wallets, researchers discovered that 670 victims paid CryptoWall's ransom, for a total worth of 1,217 Bitcoin ($337,607).
This sum only covered transactions made in the months of May, June, and July 2015, and if we extrapolate this figure to the whole year, the group would have made around $1.3 million just from ransoms.
The actual total is probably higher, especially after the FBI gave a boost to ransomware operators after it publicly acknowledged that it has been advising companies and individuals to pay the ransom in case of severe crypto-ransomware infections.
For full details on Imperva's analysis, you can check out the company's The Secret Behind CryptoWall's Success report.
