Feds declare big win over Cryptolocker ransomware

'Neutralized' the extortion software; but hacker gang is already spewing new malware, experts say

Even as security researchers reported that the hacker gang responsible for the Gameover Zeus botnet have begun distributing new malware, U.S. government officials last week claimed victory over the original and said that the Cryptolocker ransomware it had been pushing has been knocked out.

On Friday, July 11, the Department of Justice (DOJ) filed a status update with a Pennsylvania federal court, telling the judge that both the Gameover Zeus botnet and Cryptolocker "remained neutralized."

"Analysis to date indicates that all or nearly all of the active computers in the [Gameover Zeus] network are communicating exclusively with the substitute server established pursuant to this Court's Orders," the document stated.

In early June, the DOJ, along with law enforcement agencies in several other countries, grabbed control of the Gameover Zeus botnet, and filed both criminal and civil charges against the alleged administrator of the botnet, Evgeniy Bogachev, a Russian national who remains at large.

Cryptolocker, a type of "ransomware" -- the term for extortion malware that encrypts files and then tries to convince users to pay to decrypt them so they can again be opened -- was distributed exclusively by Gameover Zeus.

The disruption of the original Gameover Zeus, and cleanup efforts by various countries' computer security response teams, or CIRTs, and Internet service provides (ISPs), have reduced the number of infected PCs by more than 31%, the DOJ said in the Friday report. More than 137,000 machines remain infected, however.

"Government testing of Cryptolocker malware samples has confirmed that Cryptolocker is no longer able to encrypt newly infected computers and, as a result, is not currently a threat," the prosecutors added. "Cryptolocker must communicate with its command and control infrastructure in order to encrypt newly infected computers. As of today, the injunctive relief ordered ... knocked all of Cryptolocker's infrastructure offline, and has thereby neutralized Cryptolocker."

Court orders last month allowed authorities to seize the servers that issued commands to Gameover Zeus and Cryptolocker, and to redirect infected PCs' requests for instructions to government-controlled servers instead.

Bogachev, who was put on the FBI's Cyber Most Wanted List last month, has not been arrested. Bogachev joined four members of the People's Liberation Army (PLA), China's military, who were accused of digital spying in May, on the FBI's list.

But even as the DOJ gave the federal judge the Gameover Zeus/Cryptolocker update, experts said that the cyber security gang behind the botnet was at it again.

According to Dell SecureWorks' Counter Threat Unit, those responsible for the original Gameover Zeus have begun seeding new malware via spam since at least July 10.

The hackers, no longer able to access their command-and-control servers once authorities seized the systems last month, have created an alternate that relies on a more centralized infrastructure, said SecureWorks.

The group's reappearance was not a surprise: Security professionals had predicted that the government's June takedown would not permanently stamp out either the gang or put an end to ransomware, which has a rich history, literally and figuratively, going back at least nine years.

In the report filed with the federal court, the DOJ said it would issue another status update on the original Gameover Zeus botnet and Cryptolocker malware infections on Aug. 15.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityMalware and VulnerabilitiesDepartment of Justice

More about AppleDellDepartment of JusticeDOJFBIGoogleMicrosoftSecureWorksTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts