The Dell SecureWorks CTU research team has taken a deep-dive into CryptoLocker, noting that the $300,000 could be a very conservative estimate collected by the CryptoLocker gang. It has infected between 200,000 and 250,000 systems worldwide, and has collected about 1,216 total Bitcoins in payment. Using the daily weighted BTC price, if the threat actors had sold the Bitcoins immediately upon receiving them, they would have earned nearly $380,000. If they elected to hold the ransoms, they would be worth nearly $980,000, based on the current weighted price of $804 per BTC.
Keith Jarvis, a researcher with the Dell SecureWorks Counter Threat Unit, said that the ransom amount varied in very early samples, but settled in at $300 or 2 BTC within the few weeks after CryptoLocker's introduction.
But, the criminals seem eager not to price themselves out of the market. CTU researchers estimate a minimum of 0.4%, and very likely many times that, of CryptoLocker victims are electing to pay the ransom so far. “Dramatic Bitcoin price inflation in the latter months of 2013 prompted the threat actors to reduce the ransom to 1 BTC, 0.5 BTC, and then again to 0.3 BTC, where it remains as of this publication,” Jarvis said.
The threat actors have offered various payment methods to victims since the inception of CryptoLocker, and early versions of CryptoLocker included numerous payment options popular in various parts of the world, suggesting a global infection strategy. Now though, the threat actors only accept MoneyPak and Bitcoin and – have apparently narrowed their interest to English-speaking countries.
“The Bitcoin option was originally marketed as the ‘most cheap option’ [sic] for ransom payment based on the difference between the $300 USD ransom and the market rate of Bitcoins,” Jarvis said.
While conventional wisdom and law enforcement (outside of one town in Massachusetts) say not to ever pay ransoms, especially considering that you never know if you’ll actually get access back to your files, anecdotal reports from victims who elected to pay the ransom indicate that the CryptoLocker perps honor payments by instructing infected computers to decrypt files and uninstall the malware, according to CTU.
“Victims who submit payments are presented with the payment activation screen until the threat actors validate the payment,” said Jarvis. “During this payment validation phase, the malware connects to the C2 server every fifteen minutes to determine if the payment has been accepted. According to reports from victims, payments may be accepted within minutes or may take several weeks to process.”
Also, in early November, the threat actors took some of the teeth out of the malware with the introduction of the CryptoLocker Decryption Service, which gives victims who failed to pay the ransom before the timer expired a way to retrieve the encrypted files from their infected system anyway.
CryptoLocker is continuing to be distributed by the peer-to-peer (P2P) Gameover Zeus malware in a typical pay-per-installation arrangement. Gameover Zeus in turn has so far been distributed by the Cutwail spam botnet, using lures consistent with previous phishing and malware distribution campaigns.
As an interesting aside, CryptoLocker has opted to go off-the-shelf for its encryption. “Instead of using a custom cryptographic implementation like many other malware families, CryptoLocker uses strong third-party certified cryptography offered by Microsoft's CryptoAPI,” Jarvis noted. “By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent. The malware uses the Microsoft Enhanced RSA and AES Cryptographic Provider to create keys and to encrypt data with the RSA algorithms.”
Overall, the bug remains very dangerous – and highly effective, Jarvis noted.
“The malware authors appear to have made sound design decisions that complicate efforts to mitigate this threat and have demonstrated a capable distribution system based on the Cutwail and Gameover Zeus botnets,” Jarvis said. “Evidence collected by CTU researchers confirms the threat actors have previous experience in malware development and distribution, especially of ransomware. Based on the duration and scale of attacks, they also appear to have the established and substantial real world infrastructure necessary to cash out ransoms and launder the proceeds.”