Massive botnet takedown stops spread of Cryptolocker ransomware
Hackers made millions from sophisticated extortion racket
Computerworld - The takedown earlier this week of a major malware-spewing botnet has crippled the distribution of Cryptolocker, one of the world's most sophisticated examples of ransomware, a researcher said today.
But replacements already stand in the wings, prepared to take Cryptolocker's place.
"Since last Friday, we've seen no new activity and no new infections," said Keith Jarvis, a security researcher at Dell SecureWork's Counter Threat Unit (CTU), referring to Gameover Zeus, a two-year-old botnet that U.S. and foreign authorities took down in a broad coordinated campaign announced Monday. Gameover Zeus had been the sole distribution channel for Cryptolocker.
Other experts corroborated Jarvis's account.
"Our intelligence now shows that the number of new Cryptolocker-infected machines has dropped off significantly and is currently relatively stable around zero," said Morten Kjaersgaard, the CEO of Danish company Heimdal Security, in an email.
On Monday, the U.S. Department of Justice (DOJ) revealed that it, along with law enforcement agencies in several other countries, including Australia, Germany, France, Japan, Ukraine and the U.K., had grabbed control of the Gameover Zeus botnet. Criminal charges have also been filed against the alleged administrator of the botnet.
But while Cryptolocker's infection pipeline has been crippled, other rival ransomware gangs are ready to fill in. Jarvis named Cryptodefense and Cryptowall as two such copycats. Both have been in circulation since late last year, months after researchers discovered Cryptolocker.
"Ransomware" is the term for extortion malware that, once installed on a hijacked Windows PC, encrypts files and then tries to convince users to pay to decrypt them so they can again be opened. The crimeware has been in active circulation since at least 2005, with traces harking back as far as 1989.
Cryptolocker has been the most successful so far in extorting money from victims.
Jarvis said that SecureWorks -- which has been in the forefront of analyzing Cryptolocker, and was one of the private security firms that assisted law enforcement prior to this week's take-down -- estimated the Cryptolocker haul at a minimum of $10 million since its debut.
Others have pegged the profit considerably higher. Among the court documents filed Monday against the makers of Gameover Zeus and Cryptolocker, one cited an estimate of $27 million paid by victims in a two-month stretch of 2013. Jarvis countered, saying that that research was flawed.
"In any case, Cryptolocker has been very successful," acknowledged Jarvis.
Some victims who refused to pay the ransom incurred significant losses recovering control of their files and restoring files from backups, if they had them. During their investigation, U.S. authorities interviewed numerous Cryptolocker victims; examples cited in court documents said businesses pegged recovery and remediation costs between $30,000 and $80,000.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts