Throwback Attack: CryptoLocker infects more than 250,000 systems in just four months

Cybersecurity Locks
Courtesy: CFE Media

Checking tracking notifications from transportation companies has become second nature for anyone who has ordered something online. Many can’t wait to see that notification saying that their package has been delivered. Imagine the surprise and horror people must have felt when they opened an email that was disguised as a tracking update but turned out to be a malicious CryptoLocker ransomware note.

The CryptoLocker ransomware attack started on Sept. 5, 2013, and lasted until late May of 2014. The attackers used a trojan that targeted computers running Microsoft Windows. The malware spread through infected email attachments and an existing Gameover Zeus botnet. CryptoLocker first targeted businesses but soon started to infect people’s home computer systems. The image that came with the ransom note included a countdown timer to show the victim exactly when they would lose their data forever.

CryptoLocker became one of the most profitable ransomware strains of its time, infecting more than 250,000 systems and earning more than $3 million within just four months.

It was a new kind of ransomware that restricted access to infected computers and demanded victims provide a payment to the attackers in order to decrypt and recover their files. CryptoLocker used a third-party certified cryptography offered by Microsoft’s CryptoAPI, which made it that much harder to combat due to it having a sound implementation.

How it works

CryptoLocker spread through fake emails designed to imitate legitimate businesses and through fake FedEx and UPS tracking notices. According to a Cybersecurity and Infrastructure Security Agency (CISA) alert, some people saw the malware appear following a previous infection from one of several botnets frequently used in the cyber-criminal underground.

Once one networked computer was infected, it was easy to find and encrypt files located within shared network devices, such as USB drives, external hard drives, network file shares and cloud storage drives. After the initial infection, the malware connected to the attackers’ command and control server to leave the private encryption key.

The encryption with this ransomware was asymmetric, meaning it used two different keys for encrypting and decrypting files. This type of encryption is more secure due to having two keys — one public, the other known only by the attacker. Supposedly, when the victim paid the ransom, they would then have access to the private key so they could unlock their encrypted files. However, similar to other ransomware attacks, regaining corrupted files was not guaranteed even after payment.

CryptoLocker with Gameover Zeus botnet

CryptoLocker isn’t a virus or worm, which means it doesn’t have the ability to create copies of itself. Instead, the malware had help from the Gameover Zeus botnet, a peer-to-peer botnet based on elements from the Zeus trojan. Gameover Zeus was able to steal bank credentials and act as the distributor for CryptoLocker.

On June 2, 2014, the Department of Justice and the FBI declared a multinational effort, called Operation Tovar, to take down Gameover Zeus. During this effort, the U.S. and foreign law enforcement took control of CryptoLocker command and control servers. Dell SecureWorks, Deloitte Cyber Risk Services, Carnegie Mellon University and the Georgia Institute of Technology aided the FBI in identifying and seizing the computer servers CryptoLocker was using.

“This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data,” said Deputy Attorney General James M. Cole in a Department of Justice news release. “We succeeded in disabling Gameover Zeus and CryptoLocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world.”

Evgeniy Mikhailovich Bogachev was ultimately charged with a 14-count indictment. Bogachev was said to be an administrator of both Gameover Zeus and CryptoLocker, but was and still is out of the U.S.’s jurisdiction. He lives in Anapa, Russia, and as long as he doesn’t commit a crime on Russian territory, he cannot be arrested because Russia does not have an extradition treaty with the U.S.

CryptoLocker variants

In 2013, the next-generation CryptoLocker 2.0 was discovered. Both types of malware operate in similar ways, but 2.0 was written in C# as opposed to C++. This difference made it easier for the 2.0 malware to spread from P2P sites. It also only accepted ransom in Bitcoin, whereas other variants accept it from MoneyPak, Ukash and cashU vouchers, as well. This version of CryptoLocker didn’t reach quite the same heights as the first, but that’s not to say it lacked effectiveness. It infected more than 200,000 computer systems worldwide.

After CryptoLocker’s takedown, the emergence of other imitation ransomware variants appeared. CryptoWall and TorrentLocker are two examples, and Gameover Zeus actually reemerged in 2014. Most of their targets were in the banking, health care and government sectors.

In the following years, CryptoWall, in particular, was used regularly. It became one of the more common ransomware varieties, hitting hundreds of thousands of individuals and businesses. It warranted a public service announcement from the FBI, which read, “The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs. … Between April 2014 and June 2015, the IC3 (the FBI’s Internet Crime Complaint Center) received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.”

Ransomware attacks have been on the rise, especially this year, with big hits on companies like Colonial Pipeline and meat processor JBS. Whether it’s through team-ups or variants, ransomware has the opportunity to strike and keep coming back. In this case, there are mitigations and solutions to CryptoLocker, but it’s important to be vigilant and knowledgeable about the threats and vulnerabilities out there because they aren’t going anywhere anytime soon.




Keep your finger on the pulse of top industry news