Feds declare big win over Cryptolocker ransomware

'Neutralized' the extortion software, but hacker gang is already spewing new malware, experts say

Even as security researchers reported that the hacker gang responsible for the Gameover Zeus botnet had begun distributing new malware, U.S. government officials last week claimed victory over the original and said that the Cryptolocker ransomware that the botnet had been pushing has been knocked out.

On Friday, the Department of Justice filed a status update with a federal court in Pennsylvania, telling the judge that both the Gameover Zeus botnet and Cryptolocker "remained neutralized."

"Analysis to date indicates that all or nearly all of the active computers in the [Gameover Zeus] network are communicating exclusively with the substitute server established pursuant to this Court's Orders," the document stated.

In early June, the DOJ, along with law enforcement agencies in several other countries, grabbed control of the Gameover Zeus botnet and filed both criminal and civil charges against the alleged administrator of the botnet, Evgeniy Bogachev, a Russian national who remains at large.

Cryptolocker, a type of "ransomware" -- the term for extortion malware that encrypts files and then tries to convince users to pay to have them decrypted -- was distributed exclusively by Gameover Zeus.

The disruption of the original Gameover Zeus, and cleanup efforts by various countries' computer security response teams, or CIRTs, and Internet service provides, have reduced the number of infected PCs by more than 31%, the DOJ said in the Friday report. More than 137,000 machines remain infected, however.

"Government testing of Cryptolocker malware samples has confirmed that Cryptolocker is no longer able to encrypt newly infected computers and, as a result, is not currently a threat," the prosecutors added. "Cryptolocker must communicate with its command and control infrastructure in order to encrypt newly infected computers. As of today, the injunctive relief ordered ... knocked all of Cryptolocker's infrastructure offline, and has thereby neutralized Cryptolocker."

Court orders last month allowed authorities to seize the servers that issued commands to Gameover Zeus and Cryptolocker and to redirect infected PCs' requests for instructions to government-controlled servers.

Bogachev, who was put on the FBI's Cyber Most Wanted List last month, has not been arrested. He joined four officers of the People's Liberation Army (PLA), China's military, who were accused of digital spying in May, on the FBI's list.

Even as the DOJ gave the federal judge the Gameover Zeus/Cryptolocker update, experts said that the cybercriminal gang behind the botnet was at it again.

According to Dell SecureWorks' Counter Threat Unit, those responsible for the original Gameover Zeus network have begun disseminating new malware via spam since at least July 10.

The hackers, unable to access their command-and-control servers after authorities seized the systems last month, have created an alternate that relies on a more centralized infrastructure, said SecureWorks.

The group's reappearance was not a surprise: Security professionals had predicted that the government's June takedown would not permanently stamp out either the gang or put an end to ransomware, which has a rich history, literally and figuratively, going back at least nine years.

In the report filed with the federal court, the DOJ said it would issue another status update on the original Gameover Zeus botnet and Cryptolocker malware infections on Aug. 15.

Gameover botnet Most Wanted
Evgeniy Mikhailovich Bogachev, the alleged administrator of the Gameover Zeus botnet, remains at large in Russia. (Image: FBI.)

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter, at Twitter @gkeizer, and on Google+, or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies