Cryptowall ransomware: the FBI advises to pay

At the end of October, a group of experts from major cybersecurity companies issued a highly detailed description of the economics of Cryptowall ransomware.

This threat, which has spread widely since June 2014, is thought to have cost hundreds of thousands of victims 325 million dollars. On October 22, a senior FBI employee said the following on the subject of Cryptowall: “To be honest, we often advise people simply to pay the ransom”.

Cryptowall is one of the most widespread ransomwares, along with TorrentLocker, TeslaCrypt and CTB-Locker. This malware is distributed through phishing e-mails (about two-thirds of infections) and via infected websites (approximately one third of infections) :

  • When the virus is distributed via e-mail attachments, this is generally an executable Windows .scr file, compressed to a .zip file to reduce the probability of being detected by an antivirus function. Since May 2015, the hackers seem to have progressively abandoned infection by phishing.
  • In the case of the infected websites, Cryptowall is mainly propagated by means of the Angler exploit kit. This tool is made highly effective by the technical level and adaptability of its designers. Its strengths include the ability to deliver its payload to the RAM of a computer rather than a hard disk (infection without delivering a file), and the extremely reactive exploitation of zero-day vulnerabilities in the usual browser plugins (Java, Flash or Silverlight).
  • The malware is configured not to deploy itself in Belorussia, Ukraine, Russia, Kazakhstan, Armenia, Serbia or Iran. Researchers say that “this indicates that the hackers are operating from Eastern Europe”.
  • Cryptowall is able to encrypt a maximum number of files on the computer, leaving untouched those which allow the display of instruction messages to the victim.
  • The files are asymmetrically encrypted (RSA). Without the private key, that victims can only obtain by paying the ransom, the files remain irretrievably encrypted. The ransom ranges from a few hundred to a thousand euros, depending on the number of days which the victim takes to pay.
  • Cryptowall affects businesses as much as private individuals. Version 3 of the malware, which has been in circulation since January 2015, is able to encrypt the disks accessible from the network of the infected computer. This, of course, increases the risks for businesses.

Although there is nothing new in the recommendations from researchers, they are worth passing on. It is clearly necessary to systematically update all the software products targeted by Cryptowall (browsers, plugins and Windows), as well as all the security features installed. Blockers for Java, Flash and Silverlight plugins are an option to consider, while raising user awareness of booby-trapped e-mails is an effective way of slowing down the propagation of viruses.