Around 140 command and control (C&C) domains have been taken down that apparently hosted the CryptoLocker ransomware.
According to a blog by Malware Must Die, 138 domains have been suspended or sinkholed which hosted the rampant ransomware. “A Trojan Downloader is a type of virus that infects a computer like any other virus, but the key difference is that it is usually much smaller in size and does not carry the actual virus payload the campaign is aiming to infect computers with,” said AppRiver’s security analyst, Jonathan French.
“Instead a Trojan Downloader infects a computer and is programmed to reach out to a remote server to download and run other malware.”
CryptoLocker has been notorious recently, with consumers and small businesses hit by the ransomware and this has led to the United States computer emergency readiness team (CERT) issuing a warning about it.
According to Watchguard, CryptoLocker is a ransomware Trojan that encrypts your personal files and often arrives as a file with a double extension, such as “*.pdf.exe” and since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.
Once infected, CryptoLocker has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. US CERT warned that CryptoLocker then connects to the attackers’ command and control (C&C) server to deposit the asymmetric private encryption key out of the victim’s reach which victims are required to pay in three days.
Speaking to IT Security Guru, Symantec security strategist Sian John said that in recent weeks, CryptoLocker’s owners have shifted their focus away from consumers and small businesses to enterprises. John said that in the last two weeks, enterprises had begun to see it getting blocked at the gateway and she expected that those who had been hit was due to “bad hygiene”.
French said that there can be many variations of downloaders or even other viruses that can install more malware, and by blocking a Trojan downloader, it’s possible that rule could block some similar strain or even a completely new virus campaign in the future.
“This is why it’s important to focus on a complete method by blocking many different vectors associated with a virus. This includes blocking the virus executable itself, the Trojan Downloaders it may be using, and any web servers associated with the virus.”
