Malware News and Trends

David Balaban

Subscribe to David Balaban: eMailAlertsEmail Alerts
Get David Balaban: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: iPhone Developer, iPhone for Business

Blog Feed Post

The New Scourge of Ransomware 6: CryptoLocker Takedown

Finally, John Bambenek and Lance James touch upon Operation Tovar that ended CryptoLocker campaign, and dwell on the lessons learned from this whole incident.

John Bambenek: Operation Tovar, going on to takedown (see right-hand image). Law enforcement agencies of 13 countries and lots of individuals and organizations participated. This took Gameover ZeuS and CryptoLocker offline whole and entire.

As of this writing, CryptoLocker is dead and has not yet to emerge (see left-hand image). There are some GOZ attempts out there. We don’t think there are any victims, but it’s clear that the bad guys are probing what we’re doing to see how we’re doing to prevent them from coming online, to see what registrars, what techniques they can use to get outside of our visibility. Again, we are providing near-time surveillance of that, too. The domains are being taken down.

So, did it work? Yeah. The reason? Law enforcement was involved, private sector was involved – there are true partners. But there was a lot of intelligence footwork done (see right-hand image). What’s the collateral damage? How will they react to it? Going into it, we know what’s going to happen.

We ended up waiting on the CryptoLocker takedown and merged it with GOZ, for reasons we already talked about (see left-hand image). But we spent a lot of time talking about the impact. What happens if we take the server of the private keys offline? Well, victims can no longer pay. You know, that is something that’s relevant. That’s a slower process than I would like, but it’s there. That said, as of about 6 hours after writing this slide, there is Decrypt CryptoLocker which uses techniques to, basically, decrypt those files. So, if you have a victim, even going back to August or September, now there’s a means to recover those files if they didn’t pay.

Lance James: And again, that’s a combination of the seized drives themselves working with the industry. Just visit decryptcryptolocker.com. I think Fox-IT and FireEye kind of worked together, and I’m sure law enforcement in Europe did as well. That’s exactly the kind of thing we are wanting to see more of.

John: How these techniques fail is somebody goes it alone, doesn’t care about collateral damage and breaks everything (see right-hand image). They burn before pillaging. In the absence of the rule of law, all you have left is tribal justice. But that makes it hard for people to do well-thought-out takedowns.

Regarding the future of ransomware (see left-hand image), you know, CryptoLocker is dead, but it captured the imagination. There will be other things out there. There are a couple of examples out there (see right-hand image). There is a technique of locking iPhones for ransom using the Find My iPhone service. There was a cloud service company where somebody basically said, “Pay us this, or we’re going to delete all your stuff.” They didn’t pay the ransom, and an entire company went out of business. So, protecting cloud services matters, that’s an extortion-based attack. There are couple of other things that use Tor and Bitcoin.

CryptoLocker is dead, but it captured the imagination.

On to the techniques – I think DGAs will be out there for a while (see left-hand image). Tor and Bitcoin will still be used. Bitcoin provides a lot of benefit to the bad guys even if it’s not accessible to everybody.

Lance: Most of the ransomware techniques are really about resiliency and staying persistent: Bitcoin, anonymity, disabling shadow volume copies to prevent recovery and things like that.

John: Absolutely. The good news is that a lot of the intel tools that we developed for this can simply be used for other threats (see right-hand image above). We’ve got a to-do list of other things we want to continue working on (see left-hand image).

Here’s the call to action: there are more problems than there are people to solve them (see right-hand image). This takedown worked because a lot of people contributed their time, their effort and their skills to it, even if it wasn’t full-time work. Again, the short-term actions – okay, I blocked this from my network, let’s move on – might yield value for an organization, but they don’t yield long-term results. If you would like to help us with this, get in touch with us.

Conclusion of every security talk ever given in the history of security: “Technology is risky and people don’t like you.”
 

Read previous: The New Scourge of Ransomware 5: Human Intelligence Findings on CryptoLocker

Read the original blog entry...

More Stories By David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.