Post Updated on June 10

On Monday, I wrote about attackers using phishing attacks to deliver malware via links to Dropbox. Today, we received another wave of these emails with slightly different subject lines. Figures 1, 2, and 3 show the variants that were received by us in the latest campaign, and reported by our internal users. In this campaign, 10 of our users were targeted.

With the large number of our users who received this email on our side, I wanted to run the malware online to see what the attackers were doing. I was in for quite the surprise.

Once the malware runs (zip with a screen saver file), the user’s default browser opens, and a ransom page comes up with instructions for the user. The authors have given the name of “CryptoWall” to this variant, and refers to RSA-2048 encryption algorithm like CryptoDefense mentioned here. Figure 4 shows a screenshot of the browser window presented to the user, as well as the “personal” TOR links for this installation.

Once a user visits their “personal” link, they will be presented with CAPTCHA to enter the site (Figure 5) then directed to their personal page. (Figure 6)

Take note of the URL of my “personal” TOR page used during analysis:

https://kpai7ycr7jxqkilp.tor2www[d]com/7gzc

At the end of the URL, “7gzc” appears to be somewhat random to the naked eye. However, by executing the malware a second time, I was given a “number” very close to this, only a few letters off. With the closeness of the numbers, this tells me the numbers are not random, but are actually incrementing.

In querying the attackers infrastructure, infected hosts start at “000q” as no entries exist prior to that. With the lack of entries such as “0001”and “000q” existing (contains all letters of the alphabet) this tells me the attackers are using the following base 36 number scheme:

0123456789abcdefghijklmnopqrstuvwxyz

Using this, we can calculate and convert how many hosts have potentially been infected. To calculate this back to base 10:

000q == 27(36^0) == 27 (attackers started counting at 27)

7gzc == 7(36^3) + 16(36^2) + 36(36^1) + 13(36^0) == 348,637

348,637 – 27 = 348,610 potentially infected systems

Keep in mind this number will include researchers, malware analysts, sandboxes, and infected users, and a few non-existent numbers scattered in between. Assuming half of these are sandboxes and researchers, half of 348,637 is still a very large number.

Paying the Attackers

Once infected, users are instructed to pay 500 USD in Bitcoins to unlock their files. (Figure 7)

If you don’t pay the ransom, the cost doubles to 1000 USD in order to unlock the files. (Figure 8)

Through analysis of the infrastructure, there are many poor unfortunate souls who have lost tens of thousands of files. (Figures 9-11)

To pay, the users are instructed to pay to the following bitcoin addresses. (Figures 12-14)

A text representation of the wallets are here (for your research):

1L7SLmazbbcy614zsDSLwz4bxz1nnJvDeV

19yqWit95eFGmUTYDLr3memcDoJiYgUppc

16N3jvnF7UhRh74TMmtwxpLX6zPQKPbEbh

How much have the attackers made?

The 1L7 bitcoin address currently contains 3.96 bitcoins. The 19y bitcoin address currently balance is 2.46 bitcoins. Both of these wallets have transferred funds to bitcoin wallet 18dwCxqqmya2ckWjCgTYReYyRL6dZF6pzL, and this looks to be one of the main wallets held by the attackers. Currently, this address has received 88.58 bitcoins, giving a potential of 95 bitcoins belonging to the attackers, or roughly $62,000 USD which may have been paid to the attackers to unlock files.

How to protect users / enterprises

1. Be on the lookout for zip files that contain executable or screen saver files.

2. Be wary of any zip file being downloaded.

3. Search / remove emails containing the subjects discussed

4. User awareness – While some will debate this topic, we had 10 users who reported this email, and that’s $5,000 we don’t have to pay



Updated June 10

Let’s see how the attackers have changed their tactics after our first report… or rather how they haven’t changed.

Today, we received a third set of emails with a similar Dropbox link. This time, the email is disguised as a voicemail notification (Figure 15). Please note that the phone number and mailbox number listed can change (we’ve received multiple iterations with varying phone and mailbox numbers today).

Upon clicking the link and running the malware, the user is given a new unique ID, going to the same TOR address as previously mentioned. This time, my unique ID was 7Yio. (The attacker’s website treats lower and upper case letters the same):

~/git/base36 $ python base36.py 7Yio

Base36 conversion: 419317

So at current calculation, the attackers have infected almost half a million hosts, and don’t seem to have any intention of stopping. As previously stated, this number includes sandboxes and malware researchers. (Base36 code can be downloaded from here: https://github.com/x41x41x90/base36 )

The attackers are also using another bitcoin wallet: 1ApF4XayPo7Mtpe326o3xMnSgrkZo7TCWD. (Figure 16)

These 4 addresses are confirmed to be used by the attackers:

1L7SLmazbbcy614zsDSLwz4bxz1nnJvDeV

19yqWit95eFGmUTYDLr3memcDoJiYgUppc

16N3jvnF7UhRh74TMmtwxpLX6zPQKPbEbh

1ApF4XayPo7Mtpe326o3xMnSgrkZo7TCWD

This is the wallet which had many of the funds from confirmed accounts transferred to it, which was previously mentioned:

https://blockchain.info/address/18dwCxqqmya2ckWjCgTYReYyRL6dZF6pzL

The current transferred amount is 122.499 bitcoins, which at the current exchange rate is more than $80,000. That’s more than $18,000 the attackers have made since this article was was published.

We have contacted Dropbox, but have not received a response.

Attackers are making money hand-over-foot from people falling victim to phishing emails. And while the attackers are valuing your data at $500 or $1000, what is the true price of your pictures or documents? For an enterprise, what is the price of a network share of data, and what could be lost?