Ransomware going strong, despite takedown of Gameover Zeus
In late May, an international law enforcement effort disrupted the Gameover Zeus (GoZ) botnet, a network of compromised computers used for banking fraud.
The operation also hobbled a secondary, but equally important cyber-criminal operation: the Cryptolocker ransomware campaign, which used a program distributed by the GoZ botnet to encrypt victims’ sensitive files, holding them hostage until the victim paid a fee, typically hundreds of dollars. The crackdown, and the subsequent discovery by security firms of the digital keys needed to decrypt affected data, effectively eliminated the threat from Cryptolocker.
Yet, ransomware is not dead, two recent analyses have found. Within a week of the takedown of Gameover Zeus and Cryptolocker, a surge of spam with links to a Cryptolocker copycat, known as Cryptowall, resulted in a jump in ransomware infections, states a report released last week by security-services firm Dell Secureworks. Cryptowall first appeared in November 2013, and spread slowly, but the group behind the program were ready to take advantage of the vacuum left by the downfall of its predecessor.
Being prepared paid off: In six months, the Cryptowall group infected nearly 625,000 systems, and even though only 0.27% of victims paid, the group still made $1.1 million, according to data from a command-and-control server discovered by Dell Secureworks. Ransomware is here to stay, the company concluded.
“The threat actors behind this malware have several years of successful cybercrime experience and have demonstrated a diversity of distribution methods,” the report stated. “As a result, (we) expect this threat will continue to grow.”
A second analysis came to a similar conclusion. In its Threat Report for the first half of 2014, security firm F-Secure found that Cryptolocker infections had dropped following the takedown. Yet the creator is still at large, and will likely try again, Sean Sullivan, security advisor and researcher with the company, told Ars.
“There is a lot of potential money to be made if you can figure out how to get paid,” he said. “It is easier than going after the banks.”
The fact that getting paid is also the easiest way to get caught is the biggest drawback to data-napping crimes. Yet, that issue is rapidly disappearing with the increasing adoption of Bitcoin and other crypto-currencies. Cryptowall, for example, only relies on Bitcoin, but only has about a third of the payment rate as Cryptolocker, which allowed payment cards.
Enabling crime is a downside of crypto currencies, Sullivan said. “Frictionless, online currencies facilitate bad stuff as well as good.”
The takedown of Gameover Zeus may raise the stakes in the arms race between criminals and law enforcement, according to Sullivan. Ransomware could become the option of last resort for malware on any infected computer.
Normally, criminals would not widely distribute ransomware, because the victim then knows their computer is infected, and the compromised system has no other utility than as a hostage. Yet, if law enforcement is preparing to take down the botnet, having such a poison pill could make them pause, he said. If, for example, a computer does not contact the command-and-control servers within a certain amount of time–a sign that the owner may be aware of the infection–future malware may encrypt the drive and demand a ransom, Sullivan said.
“Seems to me that they will come up with a strategy to make sure that law enforcement does not take their botnet down again,” Sullivan said. “It is like game theory during a kidnapping, where if they go to arrest you, you shoot the hostage.”
“There is never not an escalation,” he said.
Listing image by Courtesy of Dell Secureworks