U.S. and European law enforcement officials last month, performed a coordinated takedown of the GameOver Zeus botnet. At the time, they claimed that the operation also neutralized the infamous CryptoLocker ransomware, which criminals had distributed using GameOver’s infrastructure.
However, Tyler Moffitt, a threat research analyst at the security firm Webroot, argued in a blogpost yesterday that the FBI’s claims are dubious and that CryptoLocker remains in use. In particular, the FBI’s belief “that Cryptolocker has been neutralized by the disruption and cannot communicate with the infrastructure used to control the malicious software,” overlooks an important reality.
“The reason why this claim should be scrutinized is because it is only the samples dropped on victims computers that communicated to those specific servers seized that are no longer a threat,” Moffit wrote. “All samples currently being deployed by different botnets that communicate to different command and control servers are unaffected by this siege…”
More to the point, the FBI alleges that the mastermind behind the operation they shut down is a Russian national named Evgeniy Bogachev.
Moffitt agrees with the FBI’s allegation that Bogachev and his co-conspirators did indeed control a significant portion of Zeus botnets in the business of distributing CryptoLocker. He also notes that there are many criminals in the business of operating Zeus botnets that disseminate CryptoLocker.
“Most malware authors spread their samples through botnets that they either accumulated themselves (Evgeniy), or just rent time on a botnet from someone like Evgeniy (most common),” Moffitt reasons. “So now that Evgeniy’s servers are seized, malware authors are just going to rent from some of the many other botnets out there that are still for lease.”
Furthermore, Moffitt says that malware authors are improving upon CryptoLocker with new ransomware such as CryptoWall, New CryptoLocker, DirCrypt, and CryptoDefense.
Instead of a traditional graphical user interface, he says these merely change the victim’s background and display instructions on how to unlock the infected machine. Another change is that the criminals behind these schemes are no longer reliant on third-party money transfer companies or money mules. Users are told to install Tor and pay the criminals directly. Thus, he claims the malware authors are increasing their take of the overall profit from the scam.
In fact, last month, in a voluntary data breach notification addressed to the New Hampshire Attorney General, the investment firm Benjamin F. Edwards & Co. explained that one of its employees laptops became infected with CryptoWall. As a result, they said, data was transmitted to a suspicious IP address (in addition to being encrypted on the local drive).
Just today, reports emerged detailing of a new piece of ransomware for sale on the criminal underground called Critroni. Researchers are calling it the first ransomeware to use the Tor network for command and control.