Massive botnet takedown stops spread of Cryptolocker ransomware

Hackers made millions from sophisticated extortion racket

The takedown earlier this week of a major malware-spewing botnet has crippled the distribution of Cryptolocker, one of the world's most sophisticated examples of ransomware, a researcher said today.

But replacements already stand in the wings, prepared to take Cryptolocker's place.

"Since last Friday, we've seen no new activity and no new infections," said Keith Jarvis, a security researcher at Dell SecureWork's Counter Threat Unit (CTU), referring to Gameover Zeus, a two-year-old botnet that U.S. and foreign authorities took down in a broad coordinated campaign announced Monday. Gameover Zeus had been the sole distribution channel for Cryptolocker.

Other experts corroborated Jarvis's account.

"Our intelligence now shows that the number of new Cryptolocker-infected machines has dropped off significantly and is currently relatively stable around zero," said Morten Kjaersgaard, the CEO of Danish company Heimdal Security, in an email.

On Monday, the U.S. Department of Justice (DOJ) revealed that it, along with law enforcement agencies in several other countries, including Australia, Germany, France, Japan, Ukraine and the U.K., had grabbed control of the Gameover Zeus botnet. Criminal charges have also been filed against the alleged administrator of the botnet.

But while Cryptolocker's infection pipeline has been crippled, other rival ransomware gangs are ready to fill in. Jarvis named Cryptodefense and Cryptowall as two such copycats. Both have been in circulation since late last year, months after researchers discovered Cryptolocker.

"Ransomware" is the term for extortion malware that, once installed on a hijacked Windows PC, encrypts files and then tries to convince users to pay to decrypt them so they can again be opened. The crimeware has been in active circulation since at least 2005, with traces harking back as far as 1989.

Cryptolocker has been the most successful so far in extorting money from victims.

Jarvis said that SecureWorks -- which has been in the forefront of analyzing Cryptolocker, and was one of the private security firms that assisted law enforcement prior to this week's take-down -- estimated the Cryptolocker haul at a minimum of $10 million since its debut.

Others have pegged the profit considerably higher. Among the court documents filed Monday against the makers of Gameover Zeus and Cryptolocker, one cited an estimate of $27 million paid by victims in a two-month stretch of 2013. Jarvis countered, saying that that research was flawed.

"In any case, Cryptolocker has been very successful," acknowledged Jarvis.

Some victims who refused to pay the ransom incurred significant losses recovering control of their files and restoring files from backups, if they had them. During their investigation, U.S. authorities interviewed numerous Cryptolocker victims; examples cited in court documents said businesses pegged recovery and remediation costs between $30,000 and $80,000.

New infections of the Cryptolocker ransomware plummeted to nearly nothing after the takedown of the Gameover Zeus botnet earlier this week. (Image: Heimdal Security.)

Jarvis attributed Cryptolocker's success to several factors, notably the sophistication of its code, specifically the encryption it used to lock legitimate owners out of their data. "This is a well-written piece of software," said Jarvis. "And they got the encryption right. There are no loopholes and no flaws."

Earlier examples of ransomware were often sloppy, and in some cases their lock-out mechanisms could be circumvented. Not so with Cryptolocker. Once run, it left victims with only two options: Pay the ransom or restore the now-inaccessible data from backups.

Cryptolocker also benefited from the vertical integration of the gang -- more like a business than a criminal gang, in fact -- behind Gameover Zeus, said Jarvis. The gang included highly-proficient programmers, a dedicated distribution channel and an advanced command-and-control infrastructure.

"It's impossible to do [something like] this by yourself," Jarvis said, nodding to the old days when individual cyber criminals could compete with well-financed crews like the one responsible for Gameover Zeus and Cryptolocker.

While Cryptolocker is down and out, Jarvis and other experts believe the reprieve may be temporary, and not only because of the likes of Cryptowall and Cryptodefense, which aren't cut of the same cloth. "Cryptowall is just not as well built [as Cryptolocker]," Jarvis contended.

"Short term, this is huge because it's taken one of the largest botnets off the market," said Jarvis. "How long that continues, though, we don't know." Jarvis pointed out that some botnet takedowns have resulted in permanent eradication -- the hackers essentially threw in the towel -- but other gangs have recovered after similar blows within months.

While Gameover Zeus is suppressed, consumers and businesses should make use of the time to wipe the malware from infected machines and secure their PCs by updating their operating systems and applications, and ensuring the systems are protected by security software.

"There's a window of opportunity now while Gameover Zeus is down for the count," said Jarvis. "If you're going to clean [your PC], do it now when they're on the ropes."

US-CERT (United States Computer Emergency Readiness Team), part of the Department of Homeland Security, has published an alert about the takedown that includes links to several sources of malware-cleaning utilities from the likes of Microsoft, Symantec and Trend Micro.

"[The takedown] sends a clear message to criminals," said Jarvis when asked whether the campaign had been worthwhile. "We will disrupt your means of making money and put your face on the wanted poster."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.


Copyright © 2014 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon