updated 02:27 pm EDT, Sat August 30, 2014
CryptoLocker derivative attack demands variable ransoms
In a five-month period, CryptoLocker-esque malware CryptoWall has infected 625,000 devices worldwide, and has locked down 5.25 billion files, according to Dell's security researchers. In that same time period, it has exceeded its predecessor's infection rates, and gathered over $1.1 million in file ransoms, with one victim paying out $10,000 in Bitcoin to rescue his own files held hostage by the malware.
The ransomware spreads through malicious attachments to emails and download links sent through the "Cutwail" spam botnet. Starting in June, the emails included links to regular cloud storage providers containing the malware, such as MediaFire and Dropbox, with ZIP files containing the CryptoWall executable.
The Dell SecureWorks group noted "steady but low-level infection rates" from the package, with peaks in infections from time to time. A "sinkhole" was established earier this year, with the server seeing connections from 968 hosts requesting the malware as a result of users being misled to request the infected file.
According to the researchers, the new malware "recursively navigates the file system, selectively encrypting certain file types (e.g., text files, documents, source code). Executables and DLLs are left unmodified to prevent the compromised system from becoming corrupted and unusable." Internal drives, removable media, and network drives including Google Drive or Dropbox shares mapped to a drive letter are targeted for encryption. As is typical for this sort of infection, Mac users are not affected.
At this time, there doesn't apear to be an obvious flaw to allow decryption without payment. The previous CryptoLocker malware wasn't flawed, but the disassembly process by law enforcement led to a method to retrieve encryption keys for users inflicted by the malware.
Infection percentages by country