Ransomware Survives Takedown

Tuesday, December 10, 2013 @ 05:12 PM gHale

An attempt to take down command and control nodes associated with the CryptoLocker malware was unsuccessful.

Activists from the group Malware Must Die put together a list of domains associated with communications channels for the malware, which encrypts files on infected machines before demanding a ransom of up to 2 Bitcoins (worth just over $2,000), before beginning a takedown operation on December 1.

Ransomware Uses Webcam in Scam…
Ransomware Running Wild …
Swansea Police Held for Ransom
Tough Ransomware Sinkholed

Most of the 138 targeted domains ended up suspended, but the effort failed to kill off the malware, which quickly resurfaced, according to anti-botnet firm Damballa.

Adrian Culley, a former Scotland Yard detective turned technical consultant at Damballa, said the take-down effort might have been more successful with post-takedown analysis.

“It is no surprise that the announcements of the death of CryptoLocker appear to have been somewhat premature. An essential part of the process is post-takedown analysis, which may turn out to be a post-mortem, or a triage of the zombie remnants of a botnet, or may indeed confirm that the botnet is very much still alive and kicking.”

“It is essential to undertake this analysis post any sinkholing activity, which does appear to have happened in this instance,” Culley said. “CryptoLocker appears to have the same resilience as many other C&C based attacks.”

CryptoLocker’s routine is it arrives in email as an executable file disguised as a PDF, packed into a .zip attachment. A spam run targeting millions of users in the UK prompted a warning from the UK National Crime Agency last month.

If it successful executes, CryptoLocker encrypts the contents of a hard drive and any connected LAN drives before demanding payment for a private key needed to decrypt the data.

Leave a Reply

You must be logged in to post a comment.