Behind the CryptoLocker Disruption

LAS VEGAS–The takedown of the GameOver Zeus malware operation in June got more than its share of attention, but it was the concurrent demolition of the CryptoLocker ransomware infrastructure that may prove to have been the most important part of the operation. That outcome was the culmination of months of behind the scenes work by dozens of security researchers who cooperated with law enforcement to trace, monitor and ultimately wreck the careful work and planning of the CryptoLocker crew.

CryptoLocker emerged in 2013 and quickly gained a lot of notice, both among security researchers and the law enforcement community. Delivered by the GameOver Zeus Trojan, the ransomware, which encrypts the contents of infected machines and then demands a payment of $300 for the decryption key, was racking up a lot of victims, some of which were law enforcement agencies themselves. Ransomware wasn’t anything new; it has been around for many years in various forms. But the concept of a piece of malware that had the ability to encrypt all of a victim’s files and potentially wreck the machine was novel.

“This was something new. This was ransomware done right.”

“This was something new. This was ransomware done right,” said John Bambenek, president of Bambenek Consulting, who was involved in the working group that tracked CryptoLocker and talked about the operation at the Black Hat USA conference here Thursday. “It made for a good case study on how to do threat intelligence.”

The working group that came together to defeat CryptoLocker was global and had people with all kinds of different skill sets: malware reverse engineering, math, botnet tracking and intelligence. Some members worked on taking part the domain-generation algorithm while others looked at the command-and-control infrastructure and still others broke down the malware itself. What the researchers began to notice as they dug deeper into the CryptoLocker operation was that the crew behind the ransomware had done a lot of things right, but had also exhibited some oddly inconsistent behaviors.

“The interesting thing is all the opsec involved in this. The architecture thought out with this was really clear. The people working on this really sat down and architected and then engineered something,” said Lance James of Deloitte & Touche, who spoke alongside Bambenek at Black Hat. “It took a lot more people on our side to hit it harder.”

The researchers began to wonder why the CryptoLocker gang had decided to ride along with GameOver Zeus, a very stealthy piece of malware that is designed to sit quietly on a victim’s machine and steal data.

“Why would the people who run GameOver Zeus expose their infections so loudly?” Bambenek said.

What they realized, though, was that the GOZ infections gave the CryptoLocker crew a pipeline into machines that couldn’t effectively be shut down quickly.

“It’s almost like having a tunnel with a low footprint. It’s something we couldn’t shut down. They were winning the race before we could get there,” James said.

One of the key pieces of the CryptoLocker intelligence operation was the reverse engineering of the DGA the malware used. The algorithm regularly generates new domains for the C2 communications between infected machines and the attackers, allowing the attackers to be agile and stay ahead of sinkhole operations and takedowns. Looking at the DGA allowed the working group to track C2 infrastructure in near real time, Bambenek said. The DGA turned out to be the same one used by the Flashback OSX Trojan, Bambenek said, and the CryptoLocker crew likely bought it from a third party.

The estimates of how much money CryptoLocker made for its operators vary wildly, but Bambenek said the ransomware wasn’t even the main business for this group.

“This was a very lucrative cash crop for them. They used this as funding for something else that we can’t talk about right now,” he said.

The good news is that the researchers involved in this operation learned a lot of lessons from it and will be able to apply them to the inevitable wave of copycat crypto ransomware strains to come.

“CryptoLocker is dead, but it’s captured the imagination,” Bambenek said.


Suggested articles