Researcher: Cryptolocker Not Dead Yet

Reports of Ransomware's Demise Called Overstated
Researcher: Cryptolocker Not Dead Yet

Despite official suggestions to the contrary, the Cryptolocker ransomware isn't dead yet, even as new types of ransomware continue to flood onto black market cybercrime forums, one researcher claims.

See Also: 12 Top Cloud Threats of 2016

On July 11, the FBI told a federal court judge that the May 30 disruption it launched against the Gameover Zeus Trojan malware and Cryptolocker ransomware campaigns continued to be successful. "The Justice Department reported that all or nearly all of the active computers infected with Gameover Zeus have been liberated from the criminals' control and are now communicating exclusively with the substitute server established pursuant to court order," the Department of Justice said in a statement.

The FBI has accused Evgeniy Bogachev, who's based in Russia, of masterminding numerous attacks that blended Zeus Gameover malware to drain people's bank accounts with Cryptolocker ransomware infections, which encrypt personal files on PCs and then demand a one-time payment to decrypt them.

The government also reported that traffic from an FBI-controlled server, to which Zeus Gameover-infected PCs had been redirected, had fallen by one-third, and that "Cryptolocker has been neutralized by the disruption and cannot communicate with the infrastructure used to control the malicious software," thus rendering the ransomware "nonfunctional" on infected PCs.

But Tyler Moffitt, a member of the threat team at security software vendor Webroot, contends: "While this is a great win on behalf of the FBI, it's very bold to claim that Cryptolocker is now dead," because more than one gang has been found still using Cryptolocker. "A better way to put it would be that Evgeniy M. Bogachev's brand of Cryptolocker and anyone who purchased time on his botnet is now useless," he says in a blog post.

Rental Economy

As that highlights, many criminals rent time on other gangs' botnets, rather than building and maintaining their own malicious infrastructure. So even with the FBI's seizure of Cryptolocker C&C servers allegedly controlled by Bogachev, "malware authors are just going to rent from some of the many other botnets out there that are still for lease," Moffitt says.

Would-be cybercriminals have plenty of other ransomware choices, which include CryptoDefense, CryptoWall, DirCrypt, as well as what's being branded as a new version of Cryptolocker. All four types of ransomware demonstrate how attackers continue to refine this particular brand of shakedown, with attackers having dispensed with a standalone graphical user interface. Instead, their malware simply changes the background of every directory that's been encrypted to display text instructions for how it can be decrypted.

Another change is that attackers previously demanded payment to a third-party payment service via the malware GUI, for example to their MoneyPak key, which would allow attackers to load up prepaid cards, which can be cashed out at ATMs by money mules. Now, however, "you have to install Tor or another layered encryption browser to pay [attackers] securely and directly," Moffitt says. "This allows malware authors to skip money mules and increase the percent of profits."

Critroni Ransomware

New types of ransomware continue to appear. One recent example is Critroni, which debuted as CTB-Locker - for Curve-Tor-Bitcoin Locker - in the middle of June on underground cybercrime forums, and which was initially used primarily to attack Russian targets, says the French malware researcher known as Kafeine on his "Malware don't need coffee" blog. Multiple versions - both Russian-language and English-language - of the Critroni ransomware have since been seen in the wild, and not just targeting Russians, the researcher says.

The ransomware promises to encrypt all personal files on an infected PC - whether or not it's connected to the Internet - and warns the victim they have just 72 hours to download the Tor browser bundle and remit 0.35 bitcoins (about $220) to the attacker. Once the time expires, the Critroni infection promises to erase itself, thus making decryption and recovery of the files impossible.

Kafeine reports that Critroni sells for $3,000 on the black market per month, including free support, or $300 per month for more advanced support. "You can freely use the system after the end of support to launch new server-generate lockers," reads a translation of a Russian black market advertisement. "You will only be limited in future updates." In what appeared to be a bid to rapidly boost market share, the developer had also promised a 50-percent discount to the first buyer.

Neverquest Financial Trojan

Criminals also continue to build and refine new types of banking Trojans (see Gameover Zeus Trojan Returns). Symantec, for example, says that a new version of Neverquest, a.k.a. the Snifula Trojan, which first appeared in 2006, continues to be updated to target an ever-expanding number of international banks.

Like Zeus, the malware offers criminals a variety of easy-to-use Web injection - or "man in the browser" - attack capabilities that allow the malware to hook into Windows processes, gain direct access to raw data and manipulate the browser GUI to disguise its activities. It also includes remote-control capabilities, and it can steal digital certificates, extract stored website usernames and passwords, log keystrokes and capture screenshots and video.

"The [malware] monitors the Web pages users visit and starts logging when any of the strings in the configuration file matches with part of a URL or Web page content," Symantec says. "We can see around 400 strings related to social networking, customer relationship management, Web mail, messaging, cloud computing, storage, financial, online movie, photo sharing and gaming services. It seems that most major online services, for both consumer and enterprise users, are covered."

The most recent version also includes Web injection configuration files for at least eight Japanese banks, 10 German financial institutions and 50 financial institutions in the United States. From December 2013 and July 2014, Symantec says 39 percent of all Snifula infections were seen in the United States, followed by Japan (18 percent), Germany (11 percent) and the United Kingdom (11 percent). Symantec says the malware demonstrates how attackers, ever seeking new victims, continue to target not just large financial services institutions, but smaller, more local banking customers too.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network