Ransomware “CryptoWall” infects 625,000 PCs – encrypts 5 billion files

Ransomware first discovered in February this year has made more than 625,000 victims in the last couple of months. The ransomware called CryptoWall  encrypted more than 5 billion files on the PCs of victims which have to pay ransom to gain access to their files again.


If the payment requirements aren’t met in time, the cybercriminals double the ransom from $500 to $1,000 and sometimes increase the ransom even more. The CryptoWall ransomware was first called Crypto Defense by its developers but was later renamed to CryptoWall. Although the ransomware isn’t as sophisticated as the “famous” CryptoLocker ransomware, the cybercriminals have infected a large amount of computers, according to security researchers of Dell SecureWorks.

CryptoWall spreads by using drive-by downloads which abuse known exploits in browsers and browser plugins. Also e-mail attachments are used to infect systems with the ransomware. Since the end of March this year the ransomware mainly infects users using email attachments. The e-mails are sent using the Cutwail botnet and often contain attachments containing an Upatre downloader. This malware downloads CryptoWall from hacked servers and installs it on the victim’s PC.


Researchers also found e-mails that contained links to a website that tried to infect the PC using a drive-by download. Researchers of Dell SecureWorks gained access to the CryptoWall infrastructure and discovered the ransomware infected 625,000 PCs and encrypted 5.25 billion files. Besides encrypting files on HDDs of PCs, the ransomware is also able to encrypt files on network disks and removable media such as USB drives.

Most infected systems are located in North America, France, Germany, India, Vietnam and Australia. According to the researchers the CryptoWall developers have made more than $1.1 million in ransom paid by 1683 victims (about $600 paid per victim on average). One victim even paid $10,000 to get his files back. The potential of ransomware is huge, the $1.1 million was paid by only 0.27% of the victims.

Although CryptoWall infected 100,000 PCs more than CryptoLocker, it only made 37% of the ransom the CryptoLockers developers collected. According to the researchers that’s caused by the fact that CryptoWall only accepts Bitcoin payments which makes it more difficult for victims to pay. The CryptoLocker cybercriminals also accept Moneypak vouchers. Another reason that CryptoWall collected less ransom is likely because the ransom is higher than what the CryptoLocker criminals demand.

To avoid being infected with CryptoWall the researchers recommended to block executables and ZIP/RAR files, to keep software up to date and to review access to shared network disks and to make regular backups.