Russian Ransomware Harasses US Business World Warns KnowBe4

Russian Ransomware Harasses US Business World Warns KnowBe4

The [CTA] report paints a picture of a professionally-run operation with unbreakable encryption which means most businesses infected will be faced with a decision on whether or not to pay the ransom - Stu Sjouwerman, CEO KnowBe4

A staggering damage toll of 325 million dollars has been tied to a single criminal Eastern European cyber mafia according to a new report from the Cyber Threat Alliance. By “following the money” researchers were able to map complex Bitcoin wallet obfuscations that included publicly displayed wallet addresses and a multitude of intermediary wallets, noting that most of them led back to one main Bitcoin account. The logic led researchers to conclude that one single group was behind all the campaigns. Past transactions and the amount of Bitcoin in the central and lower tier wallets show that the group has made around $325 million / €295 million.

CEO Stu Sjouwerman stated,

“The report paints a picture of a professionally-run operation with unbreakable encryption which means most businesses infected will be faced with a decision on whether or not to pay the ransom, normally around 500 dollars. Even an FBI agent last week was quoted that if you had no backup, it was best to pay the ransom to get your files back.”

Ransomware is big business. According to the report, the CTA concluded:

"When looking at the number of victims providing payment for the Cryptowall 3.0 ransomware, it becomes clear that this business model is extremely successful and continues to provide significant income for this group."

The Cryptowall 3.0 code itself leaves a very clear clue. If it detects that it is running on any PC in either Belarus, Ukraine, Russia, Kazakhstan, Armenia or Serbia, it will uninstall itself. It is well known in security circles that it is not illegal in several Eastern European countries to create or distribute ransomware and other forms of malware outside its territory, implying Russian cybercriminals have full leeway to go outside those areas.

SophosLabs threat researcher Anand Ajjan says CryptoWall has the same code as CryptoLocker, and only differs in the name. The evil genius behind both ransomware strains is FBI’s most wanted list of cybercriminals: Russian hacker Evgeniy Bogachev. Bogachev, the authorities believe, was responsible for operating both GameOver Zeus which captures banking credentials and then authorize transfers from their accounts and CryptoLocker which together have infected hundreds of thousands of machines.

The CTA chose Cryptowall as its first major project, discovered over 4,000 malware samples relating to CryptoWall 3.0 and well over 800 URLs of Command & Control servers. The area most targeted was the USA, likely because it is a target-rich environment. Around half of all Cryptowall victims were American.

Over 406,000 attempted infections were discovered by the CTA researchers —primarily phishing emails which were 67.3% and Exploit Kits (EK) which were 30.7%. The majority of the phishing emails were sent in the January-April 2015 time frame, with the attackers changing their tactics in May when they concentrated more on exploit kits like the Angler EK.

The CTA is an industry group with big-name members like Intel, Palo Alto Networks, Fortinet and Symantec and was created last year to warn about emerging cyber threats.

The FBI wants companies to know that the Bureau is there for them if they are hacked. But if that hack involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.

“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office.

“To be honest, we often advise people just to pay the ransom.”

Sjouwerman further noted, “We have warned companies and customers many times about the pervasiveness of Cryptowall, a new strain of ransomware with its predecessor Cryptolocker. Cryptowall is highly sophisticated, bullet proof code with unbreakable encryption that poses a danger to both consumers and businesses, as once a machine is infected and if no recent backups have been done, the files are lost forever. Since one of its major infection vectors is email, it makes a lot of sense to step end-users through effective security awareness training to prevent extremely expensive ransomware infections caused by phishing emails.”

For more information visit

About Stu Sjouwerman and KnowBe4

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. KnowBe4 services 1500 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance and is experiencing explosive yearly growth of 300%. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”

Related News

FBI Warns Ransomware Gangs Are Harassing Victims via Telephone Calls to Pay C...

The U.S. Federal Bureau of Investigation (FBI) has released an alert that warns private industry in the country about incidents of harassment of victims made by ransomware gangs, such as the well-known Doppelpaymer group. FBI Is Aware of Cold-Calling Tactics by Ransomware Gangs According to a PIN (private industry notification) alert regularly sent to U.S. companies to inform them about the latest updates in the cybersecurity sphere, shared by Zdnet, the FBI has been aware of incidents since February 2020, where Doppelpaymer has cold-called companies to intimidate victims by demanding them....

US Treasury Warns of Increasing Ransomware Campaigns Against Coronavirus Vacc...

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a warning that alerts financial institutions in the United States about increasing ransomware attacks against coronavirus vaccine research organizations. US Treasury Warns of Ransomware Attacks, Phishing Schemes Targeting Covid-19 Vaccine Research Institutions According to the alert, FinCEN says that fraud, ransomware attacks, and “similar types of criminal activity” target the distribution of Covid-19 vaccines, which could affect their supply chains if proper actions are not taken on....

Russian Accused of Laundering Cryptocurrency From Ransomware Attacks Extradit...

A Russian national suspected of laundering ransomware payments in cryptocurrency on behalf of cybercriminals targeting hospitals has been extradited to the U.S. by the Netherlands. The man was allegedly involved in the criminal activity for a period of three years before his arrest in Amsterdam last November. Alleged Russian Money Launderer Handed Over to U.S. Custody by Dutch Authorities Denis Dubnikov, a 29-year-old Russian citizen, has been extradited this week from the Netherlands to the United States, where he is to face charges of money laundering in the District of....

OFAC Warns Americans Against Facilitating Ransomware Payments

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory highlighting the sanctions risk American citizens face if they help facilitate ransomware payments. In the advisory, the OFAC says it will “continue to impose sanctions on those who materially assist, sponsor, or provide financial, material, or technological support for these activities.” In the document, the OFAC argues that acceding to ransomware demands–which are normally settled using cryptocurrencies–not only emboldens cybercriminals but also....

G7 Warns of Crypto Threat From Tidal Wave of Ransomware Attacks

Paying ransomware hackers to decrypt infected computers doesn't always work, and may even be a crime in some countries.