CryptoLocker ransomware infections collapse after Gameover takedown, researchers estimate

Temporary victory over hated ransom menace

This week's global police assault on the vast P2P Gameover Zeus botnet has left the distribution system for the Cryptolocker ransom malware foundering, according to two Danish security firms that have been monitoring new infections.

Patching firm Heimdal Security and partner CSIS Security Group estimate that by early May 2014, just before the Gameover was disrupted, at least 1.2 million computers were infected by the botnet, with 50,000 systems joining it in an average week. This had now been reduced to the low hundreds or even close to zero.

An unknown number of these were also affected by one of its payloads, the hated CryptoLocker, which appeared to have suffered its first ever reverse last Friday. It's never been clear how much CryptoLocker has depended on Gameover, although the two are believed to have been developed by the same gang of criminals.

It is now looking as Gameover's was critical to CryptoLocker's success, with the detection of new infections effectively dropping to zero, the firms said without being candid about how they calculated this for fear of revealing their monitoring effort to the malware gang.

"At the beginning of May this year, we saw a high rate of new Cryptolocker infections, with as many as 5.000 new infections per day. Later in May, infections even peaked at a very high number of 8.000 infections per day," said Heimdal Security's CEO, Morten Kjaersgaard.

"Our intelligence now shows that the number of new infected machines has dropped off significantly and is currently relatively stable around 0 [zero]."

None of this does anything to reduce the large but unknown number of PCs already infected by CryptoLocker, but it does at least suggest that the malware has at last revealed the weakness of its dependency on the Gameover platform.

The firm had seen no drop off in the number of currently infected systems, although the loss of Gameover's command and control will have disrupted the channel through which ransom payments are collected and - in theory - decryption keys are sent back to victims (note: there is strong anecdotal evidence that the criminals no longer send keys even when paid).

The US represented by some way the largest portion of these infected systems, he said.

"Especially the US, UK and Germany have been hit hard by the Zeus Gameover P2P malware over the last few months, but this joint effort, has really made a big blow against the malware. "

But how on earth did Gameover become so powerful and how was it and its nasty CryptoLocker sideline spiked?

From this week's dramatic headlines and back-slapping press releases, you could be mistaken for thinking that Gameover Zeus is a relatively new menace that has been stopped in its tracks. Nothing could be further from the truth.

Its effects were first documented by Dell SecureWorks under an early name, 'Prg Trojan', as long ago as in June 2007, when the firm's researchers discovered a sizable cache of keylogged online bank account details and social security numbers. Many of those appeared to be connected to the high-profile breach of the US jobs site around the same time.

By the time in 2011 and 2012 it had morphed into what became known as the Zeus banking malware, it was being targeted by Microsoft's Digital Crimes Unit (DCU) in a controversial operation called Operation b71, a command and control takedown that also involved servers used by SpyEye and Ice-IX variants.

That operation, coincidentally, bears a superficial comparison with what happened last week, which suggests that Gameover will probably reconstitute itself in some form just as it did after b71.

One of the ways it evolved to fight off this kind of takedown was by moving to a P2P design - also used by the Sality, ZeroAccess and Kelihos botnets - in which there are no central C&C servers. This makes it inherently hard to detect, partly because infected nodes distribute communication across a large number of nodes that see only a few of their neighbourss but also because many sit behind firewalls and NAT protection; this latter makes it incredibly difficult to get to grips with the size of the botnet. Many nodes become invisible.

The numerous companies and academic instructions that have helped research and probe for weaknesses in Gameover's P2P design have been very coy about how they broke into it. Suffice it to say that the basic principle was to trick the botnet into accepting sinkholes that emulated its P2P behaviour, isolating the other nodes as far as possible and then stopping the botnet from activating a fallback channel.

Not easy.

The sources Techworld contacted about these techniques did not want to go into more detail than that - many have been tracking Zeus and the later Gameover in detail for years and weren't best pleased when Microsoft made b71 public by the way. Every takedown risks more precious intelligence leaking out.

But in this area, reticence is normal and well-established. Botnet designers are always looking for ways to harden their creations against skinkholing and the Gameover attack appears to have used the technique with unparalleled success. Nobody wants to make it easy for them.

One possibility for the extra shyness this time could be that the researchers working on Gameover exploited a software vulnerability. Gameover is clever, innovative, successful but it is software after all and that makes it vulnerable.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecurity

More about DellMicrosoftMonsterMonster.comSecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts