Is ransom malware business on the wane at last? New figures from Dell SecureWorks suggest that the current market leader, CryptoWall, hasn’t been as profitable as the infamous CryptoLocker despite infecting more PCs and holding hostage a staggering 5.25 billion files.
In December 2013 it was Dell SecureWorks that provided some of the most widely-quoted figures on the success of CryptoWall's infamous CryptoLocker, which had gone on a bit of a shock and awe rampage after first appearing in September of that year.
By then it had infected at least 250,000 systems in its first 100 days out of an eventual total somewhere north of half a million at the point its distribution network was finally blitzed by Operation Tovar in May. Exactly how many victims eventually paid up is unknown but Dell’s original estimate was around 0.4 percent, which probably waned a little as defenders adjusted to the threat.
The firm now believes that CryptoLocker probably made around $3 million in ransoms, roughly three times the sums made by CryptoWall, which is estimates at $1.1 million - that is despite CryptoWall infecting at least 625,000 systems since its debut in March 2014 and 24 August.
"CryptoWall’s higher average ransom amounts and the technical barriers typical consumers encounter when attempting to obtain bitcoins has likely contributed to this malware family’s more modest success,” said Dell SecureWorks’ researcher Keith Jarvis, reaching for an explanation.
“Additionally, it is likely the CryptoWall operators do not have a sophisticated ‘cash out’ and laundering operation like the Gameover Zeus crew [which distributed CryptoLocker] and cannot process pre-paid cards in such high volumes.”
Nevertheless, CryptoWall had still managed to encrypt a staggering 5.25 billion files, the firm said.
This will have been misery for the 1,683 victims Dell SecureWorks detected, most of which paid around the $500 mark in the folorn hope of receiving an unlock key. The ransoms also increased for some victims – 399 paid $1,000 with a single one coughing up an astonishing $10,000.
It'a also not clear whether Dell SecureWorks has found every payment server - a few weeks back, security firm PhishMe traced Bitcoin wallets containing more that $700,000-worth of currency.
It’s worth remembering that although less successful than CryptLocker, since appearing in CryptoWall (also known as CryptoDefense) has managed to infect PCs in every country on earth.
The distribution has not been even, however. Of the infections detected by Dell SecureWorks, the US represented 40.6 percent (253,521), Vietnam 10.7 percent (66,590), the UK 40,258 (6.4 percent), Canada 5.2 percent (32,579), India with 5.2 percent (22,582), and Australia 3.1 percent (19,562).
The conclusion of all this is that ransom malware is probably a business that is slowly eating itself. It still infects plenty of systems but fewer victims are paying up. This is probably a combination of victims not believing that payment will make any difference (decryption keys are often not sent anyway), people defending themselves with backups and the difficulty some have in knowing how to acquire Bitcoins.
But before digesting that apparently good news, it’s worth also considering the incredible effort that was required to disrupt CryptoWall’s iconic predecessor, CryptoLocker. That took numerous agencies and security firms and months of work by which time its victims were at least $3 million lighter.
In the UK, Dell SecureWorks’ number reveal that CryptoWall has infected at least 40,000 systems, the majority of whose owners won’t have reported this to UK police. This repeats the dismal pattern of CryptoLocker, a threat that was ignored for the longest time. In this game of cops and robbers the cops aren’t just behind the robbers’ getaway car but miles away in bed.