Acting as kind of a ghost town from the old wild west, file-encrypting CryptoLocker ransomware suffered a take-down last month, but its delivery network is still up and running for other bad guys to jump in at use, researchers said.
Keeping tabs on CryptoLocker over the past nine months, a period during which cybercriminals used the malware to extort tens of millions of dollars from victims, security firm, Bitdefender, estimated victim losses at roughly $27 million, but the actual damage, without including the value of the lost files, could be twice as much.
The first attempt to disrupt CryptoLocker took place in November 2013, when the MalwareMustDie group started taking down the command and control (C&C) domains used by the malware. By early December, they had disrupted around 150 domains, but the threat survived the takedown efforts.
In June 2014, the security industry and law enforcement disrupted the Gameover Zeus infrastructure, used as an infection vector for the ransomware. This second operation against CryptoLocker has been much more successful and communications between infected devices and the botnet ended up cut off.
This means computers could still be suffering from infections. So, if users do not disinfect their computers, they could still lose access to their data if the attackers can resurrect the threat.
Another effect of the operation is while victims can pay the ransom, the server can’t send the decryption keys so there’s no way for them to recover their files, Bitdefender said.
While communications remain disrupted, the CryptoLocker infrastructure is still up, and according to the security company, other cybercriminals are using it for scams, fake antiviruses, fraud, casino schemes and even for the Citadel banking Trojan.
“At the moment, the fate of Cryptolocker is undetermined. Infected computers all over the world are still trying to call home to pre-determine URL addresses created using the DGA algorithm, but they are unable to resolve the corresponding IP addresses,” Bitdefender said in its report. “However, the Gameover/Zeus family could be back online and we are prepared for an updated Cryptolocker with a new DGA or TOR connectivity to be delivered to the (still) infected computers and to new victims.”
Researchers said it’s unlikely for cybercriminals to give up on file-encrypting ransomware, considering that such threats help them make significant amounts of money. Some groups have even started using Tor to anonymize communications and protect their operations.
“One example would be TorLocker, a commercial ransomware toolkit sold on underground forums as an affiliate program. Among its most touted features, TorLocker includes built-in encryption keys that are renewed every 10 infections and the ability to call home via Tor. Built-in keys allow TorLocker to encrypt files even if the victim PC is not online, while Tor-based communication makes it nearly impossible to shut down the operation,” Bitdefender said.