A report by Cyber Threat Alliance suggests a single group of hackers stand behind the most efficient bitcoin ransomware Cryptowall 3.0, while Kaspersky lab announces the Coinvault and Bitcryptor case closed after publishing all 14,000 decryption keys.

CryptoWall 3.0 (CW3), “one of the most lucrative and broad-reaching ransomware,” might be operated by a single group of malefactors originating from Eastern Europe, a recent report by Cyber Threat Alliance suggests. The Alliance was formed by Fortinet, Intel Security, Palo Alto Networks and Symantec last September for raising awareness about advanced cyberthreats and providing intelligence for cybersecurity industry.

The Alliance’s researchers documented 406,887 attempted infections by CW3. The estimated victims’ damage is $325 million. Ransom sums usually vary from a few hundred dollars to over $1,000. Sometimes attackers can double the sum if not receiving money in time.

Since the ransomware first appeared in 2014 the constant stream of money flocked into hundreds bitcoin wallets. However investigators noted that same primary addresses were used in different malware campaigns. It leaded them to the conclusion that all the campaigns have been operated by a single entity.

“A majority of these BTC addresses are used to launder the money into legal channels or to pay for services related to the campaigns, such as exploit kits and/or botnets used to send spam email,” the report reads.

Moreover, the malware insemination appears to be geographically determined. Most of the victims are based in North America and Australia. However a certain group of countries is blacklisted by CW3 which means that malware uninstalls itself from affected machine if it is located in these regions. The list of the countries, namely Belarus, Ukraine, Russia, Kazakhstan, Armenia, Serbia, and Iran, prompted researchers to conclude that CW3 might have been originated from Eastern Europe.

Meanwhile, Russian cybersecurity company Kaspersky Lab announced Coinvault and Bitcryptor ransomware teams to be neutralized after upgrading the company’s Ransomeware Decryptor with more than 14,000 decryption keys.  

“We are considering this case as closed. The ransomware authors are arrested and all existing keys have been added to our database.”

Two alleged Coinvault creators were arrested in Netherlands this September.

Last week FBI advised victims to pay ransom in bitcoins to restore their information. The agency admitted ransomware programs used to hack sites and encrypt files such as Cryptolocker, Cryptowall or Reveton are too good to be easily defeated by the cyber means at the disposal of FBI.  

In June 2015, FBI evaluated losses of American victims to bitcoin ransomware attacks at more than $18 million, identifying CryptoWall as “the most current and significant ransomware threat targeting U.S. individuals and businesses.”

Nadya Krasnushkina