The CryptoWall ransomware that filled the void left by the takedown of its CryptoLocker cousin is less effective and lacks the sophistication for wringing more money from victims.
CryptoWall's shortcomings include less virulent technology and no payment options beyond Bitcoins, a cryptocurrency that many people would not know how to use in paying to have malware-encrypted files unscrambled, according to Keith Jarvis, a senior researcher for the Dell SecureWorks Counter Threat Unit, which performed an extensive analysis on CryptoWall.
"It made no advancements on what we saw with CryptoLocker," Jarvis said Wednesday.
Despite the lack of innovation, the criminals behind CryptoWall managed to compromise 625,000 computers in the last six months, surpassing the roughly half million infected with CryptoLocker.
However, its lack of less complicated payment options has led to a much smaller take, roughly $1.1 million versus about $3 million for CryptoLocker.
The latter ransomware faded quickly in May after a multi-national law enforcement operation took down the 2-year-old Gameover Zeus botnet, which was also the exclusive distributor of CryptoLocker.
The botnet of between half million and 1 million compromised computers distributed the Gameover Zeus malware used to steal online banking credentials. The CryptoLocker criminals rode piggyback on the botnet.
CryptoWall infection spiked immediately after CryptoLocker was knocked out.
The boost was due to CryptoWall operators tapping a variety of distribution tactics, including the Cutwail botnet that sends spam with malicious links or attachments, drive-by-download attacks from sites infected with exploit kits and other malware programs that installed the ransomware on compromised computers.
Beyond distribution methods, Jarvis says there are a number of other differences between the ransomwares, which encrypt files on a victim's computer and won't decrypt them until money is paid:
-- CrptoWall encrypts files more important to consumers, such as audio and video files. CrytoLocker was more focused on document files.
-- CryptoLocker was more sophisticated in that it used public key encryption to authenticate the infected system with the command-and-control server.
--CryptoWall used 2048-bit RSA keys, which is not meant for encrypting large files. CryptoLocker would encrypt using an Advanced Encryption Standard (AES) algorithm, which is much faster and made for bulk data.
The CryptoWall criminals went with a simpler encryption most likely because it was easier to implement and harder to mess up. "It also could be they didn't really understand encryption at a fundamental level," Jarvis said.
-- The payment infrastructure behind CryptoLocker was also more complex. Besides Bitcoins, victims could pay using Green Dot MoneyPaks, which are prepaid payment cards sold at more than 60,000 retail stores in the U.S. Once the victim gave the criminals the number on the card to obtain payments, someone had to physically go to a store on the MoneyPak network to retrieve the cash.
The majority of CrytoLocker victims paid through MoneyPaks.
The organization that was behind CryptoLocker was separate from that running CryptoWall, Jarvis said. Both groups launched operations in 2013 and operated in parallel.
"The guys behind CryptoWall are notorious for ripping off other people's ideas," Jarvis said.
Other than the spike in May, the CryptoWall operation is unlikely to benefit much from CryptoLocker's demise. CryptoWall's shortcomings are likely to prevent it from eclipsing the other, more lucrative scam.
In general, ransomware takes in much less money than malware that steals data from corporations and government agencies and personal data from consumers, such as user names and passwords to online banking and other websites.
Dell SecureWorks has seen a trend in which distributors of ransomware are also infecting systems with data-stealing malware through partnerships with other organizations.
"Ransomware isn't that lucrative, so they need to branch out," Jarvis said.