FBI Alert: CryptoWall Ransomware Damage $18 Million

Uploaded on 2015-06-29 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

cryptowall14.jpg

The most used vector are phishing emails that have a zipped attachment that claims to be a resume.

The latest version 3.0 of CryptoWall, descendant of the infamous CryptoLocker, is the most advanced and most damaging ransomware in the wild at the moment, specifically targeting US businesses and individuals. We have been sounding the alarm about CryptoWall in CyberheistNews since last year, and its magnitude is now confirmed by law enforcement.

The FBI, through their Internet Crime Complaint Center (IC3), released an alert on June 23, 2015 that between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million. And that is only the reported part as the estimate is that the actual infections are at least two or three times more. Going by the reported incidents only, it's a $70 million per year criminal enterprise, but in reality it looks more like $200 million, which is unbelievable.

Some quick math shows $18,145 in costs per victim, caused by network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers. As you can see, the total costs of a ransomware infection goes well above just the ransom fee itself, which is usually around $500 but can go up to $10,000.

The four infection vectors sorted by frequency:

  •     Phishing email with infected attachment
  •     Phishing email with malicious URL
  •     User clicks on infected ad
  •     User visits infected website

    
By far the most used vector at the moment is phishing emails that have a zipped attachment that claims to be the resume of a girl. Open it up and unzip it, and a page opens up with a link to another zipped file, which contains the payload. This tactic bypasses all antivirus engines and relies on social engineering your end user. 

A few months ago they used poisoned help-file attachments, and they continue to innovate fast to stay ahead of the spam filters. You probably know that defending a workstation against another workstation that has been compromised has a relatively good chance of success. However, defending a workstation against a malicious server is very difficult. This gang also uses malicious URLs which when clicked drive the user to a compromised website with an exploit kit. These exploit kits scan for known vulnerabilities in hundreds of applications that may not have been patched and can own the workstation in literally less than one second.

That is what infection vectors 2, 3 and 4 ultimately use, drive users to that compromised website and infect the workstation and/or network that way. It can go through a URL that drops the user onto that site, or an ad that redirects the user that way, or they compromise a site the user visits regularly and that is how they get infected. It's a nasty business, and it's growing. You are dealing with a criminal hybrid of very high quality coding, used for sophisticated digital hijacking, and supported by commercial-grade "customer service" which makes sure they can generate cash from their malware. Ironically, these gangs are concerned with their reputation in the market. If word goes out they do not decrypt, their revenue stream dries up because of bad word-of-mouth.

What To Do About It

IBM recently warned against spear phishing attacks using the Dyre Trojan for cyber heists of more than $1 million at a time, and suggested policy and procedures to block these attacks. Obviously things like having recent backups, excellent patching discipline and good filters at the network edge are a given. Their recommendations are on the mark:

Organisations will remain only as strong as their weakest link. Proactive end-user education and security awareness training continue to be critical in helping prevent incidents like the one described in this advisory.

Train employees on security best practices and how to report suspicious activity.

 Consider conducting periodic mock-phishing exercises where employees receive emails or attachments that simulate malicious behavior. Metrics can be captured on how many potential incidents would have happened had the exercise been a real attack. Use these findings as a way to discuss the growing security threats with employees.  

Offer security training to employees to help understand threats and measures they can take to protect the organization.
    
Provide regular reminders to employees on phishing and spam campaigns and that they shouldn’t open suspicious attachments or links from both work and personal emails.
    
Train employees in charge of corporate banking to never provide banking credentials to anyone. The banks will never ask for this information.
    
New school security awareness training, which combines web-based on-demand training by a social engineering expert, combined with frequent simulated phishing attacks is a must these days to protect your organisation against these kinds of attacks.

KnowB4:

 

« Naresh Singh : Freelance Ethical Hacker
The Double-Edged Sword of Cyber Warfare »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

SSH Communications Security

SSH Communications Security

SSH Communications Security is a leading provider of enterprise cybersecurity solutions for controlling trusted access to information systems and data.

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

CIRT.GY

CIRT.GY

CIRT-GY is the national Computer Incident Response Team for Guyana.

maCERT

maCERT

maCERT is the national Computer Emergency Response Team for Morocco.

Institute for Cyber Security Innovation - Royal Holloway

Institute for Cyber Security Innovation - Royal Holloway

The Institute for Cyber Security Innovation aims to bring together Academia, Industry and Government to be a catalyst for applied research and innovation in cyber security policy and solutions.

Invensity

Invensity

INVENSITY is an interdisciplinary technology and innovation consulting company. Centres of excellence include Cyber Security and Data Privacy.

Findcourses.co.uk

Findcourses.co.uk

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

BullGuard

BullGuard

BullGuard is an award-winning cybersecurity company focused on providing the consumer and small business markets with the confidence to use the internet in absolute safety.

Cyberport

Cyberport

Cyberport is focused on facilitating the growth of major technology trends such as FinTech and cybersecurity as well as the emerging technologies of AI, big data and blockchain.

GovernmentCIO

GovernmentCIO

GovernmentCIO was founded with a single purpose: to transform government IT. We are thought leaders in data analytics, machine learning, cybersecurity and IT transformation.

Ostendio

Ostendio

Ostendio is a cybersecurity and information management solutions provider that develops affordable compliance solutions for digital health companies and other regulated entities.

ITSEC Asia

ITSEC Asia

ITSEC Asia works to effectively reduce exposure to information security threats and improve the effectiveness of its clients' information security management systems.

Valency Networks

Valency Networks

Valency Networks provide cutting edge results in the areas of Vulnerability Assessment and Penetration Testing services for webapps, cloud apps, mobile apps and IT networks.

Ethiopian Cybersecurity Association (ECySA)

Ethiopian Cybersecurity Association (ECySA)

ECySA was formed to play an influential part in the ongoing and dawning cybersecurity practices of Ethiopia, efficiently creating public and private awareness on all kinds of cyber risks and threats.

Vercara

Vercara

Vercara offers a purpose-built, global cloud security platform that provides layers of protection to safeguard businesses’ online presence, no matter where an attack comes from or where it is aimed.

Aegis Cyber Defense Systems

Aegis Cyber Defense Systems

AEGIS is a powerful cybersecurity tool that can help protect your devices and networks from cyber threats, and increase performance.