A new report has found that Cryptowall 3.0 ransomware operators have raked in around $325 million in ransom income for the malware developers since version 3.0 was first detected in the wild in January this year.

The report comes from the Cyber Threat Alliance, a group comprised of several companies including Symantec, Fortinet, McAfee (Intel Security), Palo Alto Networks, Zscaler, Telefonica, Barracuda, and ReversingLabs, and found that CryptoWall operators have launched 49 different campaigns in the past year, attempting to infect 406,887 users with the majority of them in North America.

Disturbingly, the research found that there are now a staggering 4,046 different CryptoWall variants which work on infrastructure that includes 839 command and control (C&C) servers spread over five second-tier IP addresses.

The primary attack vector for Cryptowall V3 is through phishing campaigns, which consist of 67.3 percent of all infections, whereas exploit kits are used during 30.7 percent of the attempts.

Phishing emails were nearly always delivered via a zipped document to assist in avoid detection by virus scanners and other security measures.

The exploit kits, which primarily use the Angler platform, perform several evasive actions to avoid detection, including the use of two levels of redirectors before reaching the landing page; compromised web servers can be visited only once from an IP; detection of the presence of virtual machines and security products in the system; code that makes garbage and junk calls to be difficult to reverse engineer; encrypted payloads at download with subsequent decryption on the compromised machine; file-less infection directly deployed in memory, and some evidence that the code blacklists IPs originating from security companies and researchers so as to reduce the ability for variants to be detected.

Bitcoin

The Cryptowall 3.0 ransomware attempts nearly always demand Bitcoin for the ransom payment, allowing the researchers to track across the Blockchain where the payments headed.

Of interest, the ransomware was found to originate from a single entity and that Armenia, Belarus, Iran, Kazakhstan, Russia, Serbia and Ukraine are blacklisted, meaning the malware doesn’t operate in those countries, potentially indicating a point of origin for the bad actors.

The Cyber Threat Alliance said that while it considers the report results important, emphasis must be given to companies banding together to “fight a common foe.”

“[We] believe that research of this nature and scale is most successfully accomplished by targeted sharing and collaborative analytics of threat intelligence data from various sources and locations, both geographically and within the network security stack” the report noted. “No one company can see everything, but together we can ensure we cast as wide a net as possible and put together a more complete picture of the activity we are pursuing,” the group wrote.”

A full copy of the research and findings can be downloaded here (pdf).

Image credit: 132889348@N07/Flickr/CC by 2.0