Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

CryptoLocker Infrastructure Used for Other Threats: Bitdefender

The notorious file-encrypting CryptoLocker ransomware has not been active since the latest takedown

The notorious file-encrypting CryptoLocker ransomware has not been active since the latest takedown operation last month, but its delivery network is still up and running, Bitdefender said in a report published on Wednesday.

The security firm has kept a close eye on CryptoLocker over the past nine months, a period during which cybercriminals used the malware to extort tens of millions of dollars from victims. Bitdefender etimates victim losses at roughly $27 million, but the actual damage, without including the value of the lost files, could be twice as much.

The first attempt to disrupt CryptoLocker took place in November 2013, when the MalwareMustDie group started taking down the command and control (C&C) domains used by the malware. By early December, they had disrupted around 150 domains, but the threat survived the takedown efforts.

In June 2014, the security industry and law enforcement disrupted the Gameover Zeus infrastructure, which had been used as an infection vector for the ransomware. This second operation against CryptoLocker has been much more successful and communications between infected devices and the botnet have been cut off.

This means that there might still be infected computers on which the threat hasn’t been activated yet because the botnet was disrupted before the encryption process started. However, if users do not disinfect their computers, they could still lose access to their data if the attackers manage to resurrect the threat.

Another effect of the operation is that while victims can pay the ransom, the server can’t send the decryption keys so there’s no way for them to recover their files, Bitdefender said.

While communications have been disrupted, the CryptoLocker infrastructure is still up, and according to the security company, it’s currently being used by other cybercriminals for scams, fake antiviruses, fraud, casino schemes and even for the Citadel banking Trojan.

“At the moment, the fate of Cryptolocker is undetermined. Infected computers all over the world are still trying to call home to pre-determine URL addresses created using the DGA algorithm, but they are unable to resolve the corresponding IP addresses,” Bitdefender noted in its report. “However, the Gameover/Zeus family could be back online and we are prepared for an updated Cryptolocker with a new DGA or TOR connectivity to be delivered to the (still) infected computers and to new victims.”

Advertisement. Scroll to continue reading.

 Experts believe that it’s unlikely for cybercriminals to give up on file-encrypting ransomware, considering that such threats help them make significant amounts of money. Some groups have even started using Tor to anonymize communications and protect their operations.

“One example would be TorLocker, a commercial ransomware toolkit sold on underground forums as an affiliate program. Among its most touted features, TorLocker includes built-in encryption keys that are renewed every 10 infections and the ability to call home via Tor. Built-in keys allow TorLocker to encrypt files even if the victim PC is not online, while Tor-based communication makes it nearly impossible to shut down the operation,” Bitdefender said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.