Russian Ransomware Harasses US Business World Warns KnowBe4

The [CTA] report paints a picture of a professionally-run operation with unbreakable encryption which means most businesses infected will be faced with a decision on whether or not to pay the ransom - Stu Sjouwerman, CEO KnowBe4

A staggering damage toll of 325 million dollars has been tied to a single criminal Eastern European cyber mafia according to a new report from the Cyber Threat Alliance. By “following the money” researchers were able to map complex Bitcoin wallet obfuscations that included publicly displayed wallet addresses and a multitude of intermediary wallets, noting that most of them led back to one main Bitcoin account. The logic led researchers to conclude that one single group was behind all the campaigns. Past transactions and the amount of Bitcoin in the central and lower tier wallets show that the group has made around $325 million / €295 million.

CEO Stu Sjouwerman stated,

“The report paints a picture of a professionally-run operation with unbreakable encryption which means most businesses infected will be faced with a decision on whether or not to pay the ransom, normally around 500 dollars. Even an FBI agent last week was quoted that if you had no backup, it was best to pay the ransom to get your files back.”

Ransomware is big business. According to the report, the CTA concluded:

"When looking at the number of victims providing payment for the Cryptowall 3.0 ransomware, it becomes clear that this business model is extremely successful and continues to provide significant income for this group."

The Cryptowall 3.0 code itself leaves a very clear clue. If it detects that it is running on any PC in either Belarus, Ukraine, Russia, Kazakhstan, Armenia or Serbia, it will uninstall itself. It is well known in security circles that it is not illegal in several Eastern European countries to create or distribute ransomware and other forms of malware outside its territory, implying Russian cybercriminals have full leeway to go outside those areas.

SophosLabs threat researcher Anand Ajjan says CryptoWall has the same code as CryptoLocker, and only differs in the name. The evil genius behind both ransomware strains is FBI’s most wanted list of cybercriminals: Russian hacker Evgeniy Bogachev. Bogachev, the authorities believe, was responsible for operating both GameOver Zeus which captures banking credentials and then authorize transfers from their accounts and CryptoLocker which together have infected hundreds of thousands of machines.

The CTA chose Cryptowall as its first major project, discovered over 4,000 malware samples relating to CryptoWall 3.0 and well over 800 URLs of Command & Control servers. The area most targeted was the USA, likely because it is a target-rich environment. Around half of all Cryptowall victims were American.

Over 406,000 attempted infections were discovered by the CTA researchers —primarily phishing emails which were 67.3% and Exploit Kits (EK) which were 30.7%. The majority of the phishing emails were sent in the January-April 2015 time frame, with the attackers changing their tactics in May when they concentrated more on exploit kits like the Angler EK.

The CTA is an industry group with big-name members like Intel, Palo Alto Networks, Fortinet and Symantec and was created last year to warn about emerging cyber threats.

The FBI wants companies to know that the Bureau is there for them if they are hacked. But if that hack involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.

“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office.

“To be honest, we often advise people just to pay the ransom.”

Sjouwerman further noted, “We have warned companies and customers many times about the pervasiveness of Cryptowall, a new strain of ransomware with its predecessor Cryptolocker. Cryptowall is highly sophisticated, bullet proof code with unbreakable encryption that poses a danger to both consumers and businesses, as once a machine is infected and if no recent backups have been done, the files are lost forever. Since one of its major infection vectors is email, it makes a lot of sense to step end-users through effective security awareness training to prevent extremely expensive ransomware infections caused by phishing emails.”

For more information visit http://www.knowbe4.com/

About Stu Sjouwerman and KnowBe4

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. KnowBe4 services 1500 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance and is experiencing explosive yearly growth of 300%. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”