The notorious file-encrypting CryptoLocker ransomware has not been active since the latest takedown operation last month, but its delivery network is still up and running, Bitdefender said in a report published on Wednesday.
The security firm has kept a close eye on CryptoLocker over the past nine months, a period during which cybercriminals used the malware to extort tens of millions of dollars from victims. Bitdefender etimates victim losses at roughly $27 million, but the actual damage, without including the value of the lost files, could be twice as much.
The first attempt to disrupt CryptoLocker took place in November 2013, when the MalwareMustDie group started taking down the command and control (C&C) domains used by the malware. By early December, they had disrupted around 150 domains, but the threat survived the takedown efforts.
In June 2014, the security industry and law enforcement disrupted the Gameover Zeus infrastructure, which had been used as an infection vector for the ransomware. This second operation against CryptoLocker has been much more successful and communications between infected devices and the botnet have been cut off.
This means that there might still be infected computers on which the threat hasn’t been activated yet because the botnet was disrupted before the encryption process started. However, if users do not disinfect their computers, they could still lose access to their data if the attackers manage to resurrect the threat.
Another effect of the operation is that while victims can pay the ransom, the server can’t send the decryption keys so there’s no way for them to recover their files, Bitdefender said.
While communications have been disrupted, the CryptoLocker infrastructure is still up, and according to the security company, it’s currently being used by other cybercriminals for scams, fake antiviruses, fraud, casino schemes and even for the Citadel banking Trojan.
“At the moment, the fate of Cryptolocker is undetermined. Infected computers all over the world are still trying to call home to pre-determine URL addresses created using the DGA algorithm, but they are unable to resolve the corresponding IP addresses,” Bitdefender noted in its report. “However, the Gameover/Zeus family could be back online and we are prepared for an updated Cryptolocker with a new DGA or TOR connectivity to be delivered to the (still) infected computers and to new victims.”
Experts believe that it’s unlikely for cybercriminals to give up on file-encrypting ransomware, considering that such threats help them make significant amounts of money. Some groups have even started using Tor to anonymize communications and protect their operations.
“One example would be TorLocker, a commercial ransomware toolkit sold on underground forums as an affiliate program. Among its most touted features, TorLocker includes built-in encryption keys that are renewed every 10 infections and the ability to call home via Tor. Built-in keys allow TorLocker to encrypt files even if the victim PC is not online, while Tor-based communication makes it nearly impossible to shut down the operation,” Bitdefender said.