Security Experts:

Connect with us

Hi, what are you looking for?



CryptoLocker Infrastructure Used for Other Threats: Bitdefender

The notorious file-encrypting CryptoLocker ransomware has not been active since the latest takedown

The notorious file-encrypting CryptoLocker ransomware has not been active since the latest takedown operation last month, but its delivery network is still up and running, Bitdefender said in a report published on Wednesday.

The security firm has kept a close eye on CryptoLocker over the past nine months, a period during which cybercriminals used the malware to extort tens of millions of dollars from victims. Bitdefender etimates victim losses at roughly $27 million, but the actual damage, without including the value of the lost files, could be twice as much.

The first attempt to disrupt CryptoLocker took place in November 2013, when the MalwareMustDie group started taking down the command and control (C&C) domains used by the malware. By early December, they had disrupted around 150 domains, but the threat survived the takedown efforts.

In June 2014, the security industry and law enforcement disrupted the Gameover Zeus infrastructure, which had been used as an infection vector for the ransomware. This second operation against CryptoLocker has been much more successful and communications between infected devices and the botnet have been cut off.

This means that there might still be infected computers on which the threat hasn’t been activated yet because the botnet was disrupted before the encryption process started. However, if users do not disinfect their computers, they could still lose access to their data if the attackers manage to resurrect the threat.

Another effect of the operation is that while victims can pay the ransom, the server can’t send the decryption keys so there’s no way for them to recover their files, Bitdefender said.

While communications have been disrupted, the CryptoLocker infrastructure is still up, and according to the security company, it’s currently being used by other cybercriminals for scams, fake antiviruses, fraud, casino schemes and even for the Citadel banking Trojan.

“At the moment, the fate of Cryptolocker is undetermined. Infected computers all over the world are still trying to call home to pre-determine URL addresses created using the DGA algorithm, but they are unable to resolve the corresponding IP addresses,” Bitdefender noted in its report. “However, the Gameover/Zeus family could be back online and we are prepared for an updated Cryptolocker with a new DGA or TOR connectivity to be delivered to the (still) infected computers and to new victims.”

 Experts believe that it’s unlikely for cybercriminals to give up on file-encrypting ransomware, considering that such threats help them make significant amounts of money. Some groups have even started using Tor to anonymize communications and protect their operations.

“One example would be TorLocker, a commercial ransomware toolkit sold on underground forums as an affiliate program. Among its most touted features, TorLocker includes built-in encryption keys that are renewed every 10 infections and the ability to call home via Tor. Built-in keys allow TorLocker to encrypt files even if the victim PC is not online, while Tor-based communication makes it nearly impossible to shut down the operation,” Bitdefender said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.