Massive botnet takedown stops spread of Cryptolocker ransomware

Hackers made millions from sophisticated extortion racket

The takedown earlier this week of a major malware-spewing botnet has crippled the distribution of Cryptolocker, one of the world's most sophisticated examples of ransomware, a researcher said today.

But replacements already stand in the wings, prepared to take Cryptolocker's place.

"Since last Friday, we've seen no new activity and no new infections," said Keith Jarvis, a security researcher at Dell SecureWork's Counter Threat Unit (CTU), referring to Gameover Zeus, a two-year-old botnet that U.S. and foreign authorities took down in a broad coordinated campaign announced Monday. Gameover Zeus had been the sole distribution channel for Cryptolocker.

Other experts corroborated Jarvis's account.

"Our intelligence now shows that the number of new Cryptolocker-infected machines has dropped off significantly and is currently relatively stable around zero," said Morten Kjaersgaard, the CEO of Danish company Heimdal Security, in an email.

On Monday, the U.S. Department of Justice (DOJ) revealed that it, along with law enforcement agencies in several other countries, including Australia, Germany, France, Japan, Ukraine and the U.K., had grabbed control of the Gameover Zeus botnet. Criminal charges have also been filed against the alleged administrator of the botnet.

But while Cryptolocker's infection pipeline has been crippled, other rival ransomware gangs are ready to fill in. Jarvis named Cryptodefense and Cryptowall as two such copycats. Both have been in circulation since late last year, months after researchers discovered Cryptolocker.

"Ransomware" is the term for extortion malware that, once installed on a hijacked Windows PC, encrypts files and then tries to convince users to pay to decrypt them so they can again be opened. The crimeware has been in active circulation since at least 2005, with traces harking back as far as 1989.

Cryptolocker has been the most successful so far in extorting money from victims.

Jarvis said that SecureWorks -- which has been in the forefront of analyzing Cryptolocker, and was one of the private security firms that assisted law enforcement prior to this week's take-down -- estimated the Cryptolocker haul at a minimum of $10 million since its debut.

Others have pegged the profit considerably higher. Among the court documents filed Monday against the makers of Gameover Zeus and Cryptolocker, one cited an estimate of $27 million paid by victims in a two-month stretch of 2013. Jarvis countered, saying that that research was flawed.

"In any case, Cryptolocker has been very successful," acknowledged Jarvis.

Some victims who refused to pay the ransom incurred significant losses recovering control of their files and restoring files from backups, if they had them. During their investigation, U.S. authorities interviewed numerous Cryptolocker victims; examples cited in court documents said businesses pegged recovery and remediation costs between $30,000 and $80,000.

Cryptolocker infections
New infections of the Cryptolocker ransomware plummeted to nearly nothing after the takedown of the Gameover Zeus botnet earlier this week. (Image: Heimdal Security.)
1 2 Page
FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies