Bitcoin continues to attract cybercriminals

Despite the isolation of a prevalent ransomware trojan called CryptoLocker, in June last year, data released by the FBI’s Internet Crime Complaint Center (IC3) describes how CryptoWall has taken its place, and is continuing to spread and infect devices around the globe. “CryptoWall and its variants have been used actively to target U.S. victims since April 2014,” stated the FBI. “Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.”

The Cyber Threat Alliance (CTA) recently released a report which provides some insights into the attacks, which have amounted to over US$325m in revenue for the malicious actors behind it. The research also includes recommendations for prevention, while outlining the scope of the problem. 406,887 attempted CryptoWall infections were identified along with 4,046 malware samples. 839 command and control URLs were also found, for servers used by cybercriminals to send commands and receive data.

"As a founding CTA member, we are committed to the idea that this new way of working together – of combining intelligence on a common adversary and sharing cyberthreat information as a public good – is to the benefit of all organizations in the battle against cybercrime."
— – Rick Howard, Palo Alto Networks Chief Security Officer

Vincent Weafer, a Senior Vice President for CTA Founding Member McAfee Labs, explained that this research demonstrates an ability to leverage the group’s collective threat expertise and intelligence. The outcome is more than just providing enhanced protection for customers, the experience will help the CTA collaborate more effectively with law enforcement, in order to disrupt criminal ecosystems, “and ultimately help bring more cybercriminals to justice."

Joe Chen, a Vice President of engineering for Founding Member Symantec advises that the first major target is ransomware threats like CryptoWall, which he says “are growing at an alarming rate and holding critical business and consumer data hostage.”

“By harnessing the power of the industry and sharing data from our vast threat intelligence networks to fight campaigns of this scale, we can make a larger impact on the threat landscape than if we pursue them individually."
— – Joe Chen, Symantec VP of Engineering

Ransomware is proving to be very lucrative for bad actors. The problem begins simply and effectively, when a victim clicks on an infected advertisement, e-mail, or attachment, or visits an infected website, their device becomes infected with the ransomware. The user’s files then become encrypted. Once the ransom fee is paid, claim the criminals, he or she regains access.

“Most criminals involved in ransomware schemes demand payment in Bitcoin. Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.”
— – FBI

According to the FBI, the ransoms range between $200 and $10,000, but this is merely the tip of the iceberg. “Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers,” said the report.

Derek Manky, a Global Security Strategist CTA Founding Member Fortinet, believes that the explosion of connected devices on the internet, and our reliance on digital platforms, has created fertile grounds for cyber criminals , “Managing this risk is a shared responsibility. We need to step forward, and not wait for the adversary to make the move first,” he said

“This research demonstrates the power of the CTA partnership; when we grow our collective intelligence across all sectors, we can better combat advanced threats, deploy security controls to counteract the latest moves and deliver greater security for our customers and all organizations."
— – Derek Manky, Fortinet Global Security Strategist

Until a solution is found, the CTA report has some basic recommendations to aid users and organizations avoid falling prey to malware such as CryptoWall v3. Ensure all systems that are in use, including applications and firmware, are updated with the latest version of the software. Web browsers should also be updated, but settings should not allow plugins such as Silverlight and Flash to run automatically.

“Understand typical phishing techniques and how to thwart them, such as by not opening email from unknown email addresses or attachments of certain file types.”
— – CTA

While avoiding the ransomware altogether is the ideal solution, it’s still making vast amounts of money for criminals, and is affecting a range of different users. At the Cyber Security Summit last week, Joseph Bonavolonta, an FBI Assistant Special Agent, explained “To be honest, we often advise people just to pay the ransom.”

“The FBI doesn’t make recommendations to companies; instead, the Bureau explains what the options are for businesses that are affected and how it’s up to individual companies to decide for themselves the best way to proceed. That is, either revert to back up systems, contact a security professional, or pay.”
— – FBI

In a study released by Threat Hack in March, 30% of organizations surveyed said they would negotiate for the recovery of infected or stolen data. The findings from a second Survey on Cyber Security in the UK found that 40% of CryptoLocker victims agreed to pay a ransom of around £300 to recover files.

Stuart Itkin, senior vice president of ThreatTrack believes that these occurrences may be more common than the official figures report,  “because companies are less likely to report these incidents — not to the public, and not to law enforcement.”