The feared Cryptolocker ransom Trojan has infected at least a quarter of a million PCs worldwide, a success rate probably generating somewhere in the low millions of dollars in ransom payments, a new analysis by Dell SecureWorks has estimated.
Alarming reports of the chaos sown by Cryptolocker have been easy to come by, less so hard numbers about the scale of what has surely been the malware story of 2013.
Dell SecureWorks recorded 31,866 infected PCs contacting sinkholed command and control servers between 22 October and 1 November alone, over 22,000 of which were in the US with around 1,700 in the UK.
Carrying out the same exercise between 9 and 16 December, the number of infected PCs had fallen to only 6,459, a fall attributed mainly to a lower level of activity by the botnets pushing the malware.
From these numbers, the firm calculated that in the first 100 days of its activity from mid-September, Cryptolocker managed to infect between 200,000 and 250,000 PCs globally, disproportionately in English-speaking countries.
This brings Dell SecureWorks to the issue of how much money the criminals have made from Cryptolocker.
Based on Bitcoin payments connected to ransoms, Dell Secureworks estimates that between September and December the sums extorted were between $380,000 and $980,000 in value, depending on how long the virtual currency was held for.
Because this excludes ransoms paid using other channels such as MoneyPak – most of the sums extorted Dell believes – the real damage had to be much higher than this, the firm said.
“These figures represent a conservative estimate of the number of ransoms collected by the CryptoLocker gang,” a Dell SecureWorks’ statement said.
“Based on this information and measurements of infection rates, CTU researchers estimate a minimum of 0.4%, and very likely many times that, of CryptoLocker victims are electing to pay the ransom.”
Many of the victims of Cryptolocker’s shakedown have been small businesses rather than consumers; from its first appearance the malware targeted SMEs using subject lines such as ‘consumer complaint’ to engineer employees into opening attachments, the firm said.
One high-profile example of this was a US police department that not only found itself infected by Cryptolocker but quite incredibly agreed to pay its Bitcoin ransom demand.
As this target field became exhausted, the criminals had shifted, probably reluctantly, to less profitable home users. Today, the waxing and waning of Cryptolocker corresponded to activity on botnets used to distribute it, such as Cutwail.
According to Dell, its creators were almost certainly seasoned in malware campaigns that appear to have made sound design decisions that complicate efforts to mitigate this threat and have demonstrated a capable distribution system based on the Cutwail and Gameover Zeus botnets.”