15 Mar Cryptolocker – Its threat, its legacy and why you should still keep your guard up
In the summer of 2013 a seemingly harmless trojan started infecting Windows computers and when it was taken down 9 months later it had succeeded to extort $3 million dollars from victims.
Cryptolocker used the existing Gameover ZeuS botnet and a host of infected email attachments to spread itself all over the internet. When it activates, Cryptolocker encrypts and denies access to certain or all files on a computer system. The operator will then contact the user and ask them to send money to decrypt and to regain access to the files, essentially asking for a ransom to get back their data.
The operators running Cryptolocker requested payment via Bitcoin due to its almost untraceable nature. Bitcoin banks and trading companies took note of this and even placed “Ransom” as a reason when requesting to purchase Bitcoins.
In May 2014, the ransomeware trojan was isolated and a month later the US Department of Justice (hand in hand with a slew of national and international law enforcement agencies) along with independent security firms, such as Dutch security firm Fox-IT, were able to disrupt the Gameover ZeuS botnet, crippling the Cryptolocker extortion.
The distribution net was down, but thousands and thousands of files were still encrypted. In August of 2014 security firms, Fox-IT and FireEye developed a recovery and decryption tool using the information gathered from the takedown of Cryptolocker. With this tool, victimised users can upload a sample of their encrypted file and they will then receive the key to fully and permanently unlock the file.
Operation Tovar, the name of the operation given to the takedown of the botnet and Cryptolocker, resulted in the indictment of Russian hacker Evgeniy Bogachev. But the threat still lives on. Due to its efficacy in extorting money from victims it wasn’t too long before copycat and clone ransomware trojans began popping up all over the net. Trojans such as CryptoWall and TorrentLocker were some of the more notable ones to spring up in the aftermath of the Cryptolocker takedown. These were equally powerful in the business in encryption-extortion.
Fast forward to 2016, law enforcement and security agencies are still playing catch up in preventing the rise of ransomware trojans and shutting down extortion botnets. Differing methods of delivery, infection and distribution make coming up with a general solution almost impossible. Each trojan and botnet must be handled with on an individual level. This requires an enormous amount of resources from multiple agencies and companies. The takedown of Cryptolocker required the cooperation of DOJ, FBI, CIA, Interpol, and numerous security firms in the provate sector.
In the second quarter of 2015 alone, McAfee Labs registered 4 million instances of ransomware, and it is increasing at an alarming rate. This has put all law enforcement agencies, security firms, companies and even high value target individuals on notice.
So what can we expect in 2016? Attacks will not only increase but their targets and methods of attack will continue to grow as well. No longer are infected email attachments and botnets the only sources of infection, but right now you can be wearing a device that can be exploited just as easily as an email.
We go through the different vectors of attack below:
Hardware and firmware attacks will not stop. An ever expanding market of tools to make this possible is increasing in popularity. Even virtual machines are not safe thanks to system firmware rootkits that make it possible to target even the most careful virtual machine.
With products such as the Apple Watch and Samsung’s Gear, the wearables market is growing in leaps and bounds in terms of popularity and prevalence. But this also means that it is also another point of access for cyber-criminals. Whilst the wearable devices themselves may not pose a huge security risk due to their smaller processing power and data contained within, they provide an access point to something that may contain a great deal of both – the smartphone it is usually paired with.
Cyber-criminals are nothing if not persistent. They are masters of intrusion. They can opt to take on enterprise level security and use brute force methods to bypass their systems. Or, as the growing trend shows, they can just try to infiltrate employee home systems that typically display a more relaxed security protocol.
The Cloud has been a hot topic for the last decade and have not gone unnoticed to cyber-criminals. Expect these nefarious individuals to target cloud services and exploit weak security measures surrounding cloud data.
The technology that has been integrated into today’s cars is mind boggling. Remote entry and notification, Bluetooth syncing, GPS, USB input, and advances to ECUs (engine control unit) takes the driving experience to new levels. Unfortunately, the pervasiveness of wireless technology also makes it possible for your car to get hacked, its systems compromised and if your smartphone is paired to it as well then it becomes a portal to any and all data on your phone as well.
Integrity attacks are also due to increase. These attacks do not occur at the end user level, but at the source or transmission trunk. To better understand this type of attack we can look at a criminal trying to access your money. Instead of attacking your personal bank account or wallet, they will mount an attack on your employer’s bank account or re-route the money transfer away from your account.
Ransomware is not going away any time soon. The sad fact is that it has been turned into a product on the dark web. Enterprising cyber-criminals can now pay for a fully functioning exploit in these marketplaces. They don’t even need the coding knowledge or experience, but they can purchase it like bread at the supermarket and spread them over the web and networks at will.
To make matters worse, law enforcement and online investigators have investigated several data “warehouses” containing entire sets of stolen personal identification. This marks the development of a new market for complete lists of personal identification available for purchase at a price. This will undoubtedly influence the proliferation and frequency of ransomware attacks.
Update on 04/04/16: Since writing this blog the FBI has sent a warning regarding a new strain of ransomware targeting servers. Please read the article at http://www.computing.co.uk/ctg/news/2452701/fbi-warns-over-nasty-new-strain-of-ransomware-targeting-servers