The Internet Crime Complaint Center (IC3) – a partnership between the
Federal Bureau of Investigation (FBI) and the National White Collar
Crime Center (NW3C) – reports that 992 U.S. victims of the Cryptowall
ransomware campaign have incurred losses in excess of $18 million
between April of 2014 and June of 2015.
“Recent IC3 reporting identifies CryptoWall as the most current and significant ransomware threat targeting U.S. individuals and businesses. CryptoWall and its variants have been used actively to target U.S. victims since April 2014,” the IC3 advisory states.
“The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.”
Earlier this month, the SANS Internet Storm Center warned of a dramatic surge in Cryptowall 3.0 infections over several weeks as a result of an aggressive campaign leveraging the Angler exploit kit and malicious spam emails.
“A malspam campaign pushing CryptoWall 3.0 started as early as Monday 2015-05-25, but it has increased significantly since Monday 2015-06-08. The CryptoWall 3.0 push from Angler EK appears to have started around the same time. Both campaigns (malspam and Angler EK) were active as recently as Wednesday 2015-06-10,” wrote Brad Duncan.
“The timing of these campaigns indicates they might be related and possibly initiated by the same actor.”
Duncan said the bitcoin address for ransom payment by this malware sample is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in a previous sample from 2015-06-04, and they saw the same address used again on 2015-06-09.
IC3 says that the majority of attackers involved in ransomware schemes demand payment in bitcoin because it’s easy to use, publicly available, decentralized, and provides a additional level of anonymity.
The SANS team also detected the Angler exploit kit pushing CryptoWall 3.0 on 2015-05-26, the first time they had seen version 3.0 of CryptoWall used by Angler.
“In each case I’ve documented, the bitcoin address for the ransom payment was 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB. Angler EK is still being used by other groups to send different malware payloads. However, the appearance of CryptoWall 3.0 in Angler since 2015-06-26 using the same bitcoin address indicates this is a separate campaign by a specific actor,” Duncan said.
“The timing of these two campaigns, along with their consistent use of the same bitcoin addresses for the ransom payment, suggest they are related. They may have been initiated by the same actor. This is a significant trend in our current threat landscape. We will continue to monitor this activity and report any significant changes in the situation.”
IC3 recommends Internet users use caution when opening email attachments, clicking on advertisements, and navigating to unverified websites. In addition, users should have an updated antivirus and firewall installed, enable popup blockers, and always back up their system.
I have a personal experience with crypowall attack once and somehow fought back and got 95 % of the data.
“Recent IC3 reporting identifies CryptoWall as the most current and significant ransomware threat targeting U.S. individuals and businesses. CryptoWall and its variants have been used actively to target U.S. victims since April 2014,” the IC3 advisory states.
“The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.”
Earlier this month, the SANS Internet Storm Center warned of a dramatic surge in Cryptowall 3.0 infections over several weeks as a result of an aggressive campaign leveraging the Angler exploit kit and malicious spam emails.
“A malspam campaign pushing CryptoWall 3.0 started as early as Monday 2015-05-25, but it has increased significantly since Monday 2015-06-08. The CryptoWall 3.0 push from Angler EK appears to have started around the same time. Both campaigns (malspam and Angler EK) were active as recently as Wednesday 2015-06-10,” wrote Brad Duncan.
“The timing of these campaigns indicates they might be related and possibly initiated by the same actor.”
Duncan said the bitcoin address for ransom payment by this malware sample is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in a previous sample from 2015-06-04, and they saw the same address used again on 2015-06-09.
IC3 says that the majority of attackers involved in ransomware schemes demand payment in bitcoin because it’s easy to use, publicly available, decentralized, and provides a additional level of anonymity.
The SANS team also detected the Angler exploit kit pushing CryptoWall 3.0 on 2015-05-26, the first time they had seen version 3.0 of CryptoWall used by Angler.
“In each case I’ve documented, the bitcoin address for the ransom payment was 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB. Angler EK is still being used by other groups to send different malware payloads. However, the appearance of CryptoWall 3.0 in Angler since 2015-06-26 using the same bitcoin address indicates this is a separate campaign by a specific actor,” Duncan said.
“The timing of these two campaigns, along with their consistent use of the same bitcoin addresses for the ransom payment, suggest they are related. They may have been initiated by the same actor. This is a significant trend in our current threat landscape. We will continue to monitor this activity and report any significant changes in the situation.”
IC3 recommends Internet users use caution when opening email attachments, clicking on advertisements, and navigating to unverified websites. In addition, users should have an updated antivirus and firewall installed, enable popup blockers, and always back up their system.
I have a personal experience with crypowall attack once and somehow fought back and got 95 % of the data.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.