Action by the National Crime Agency and other nations has disrupted Command & Control networks for the banking Trojan GOZeuS and the CryptoLocker ransomware.
According to the NCA, working with international law enforcement partners including the FBI and Europol, as well as partners from the banking, internet security and ISP sectors, it has given the British public a unique, two-week opportunity to rid and safeguard themselves from the two distinct forms of malware.
Lamar Bailey, director of security research and development at Tripwire, said: “The plan is to attack the parasite hard for two weeks while removing as many viable hosts as possible at the same time so that propagation targets will be limited after the attacks subside. This will not eliminate the malware, but could make it much harder for the operators to use and could cause massive financial loss for them.”
The two related forms of malware work with a computer infected with GOZeuS calling in CryptoLocker, to give the criminal controllers an opportunity to acquire funds from the victim if there is not a significant collection at the first instance.
The NCA said that individuals in the UK may receive notifications from their Internet Service Providers if they are a victim of the malware, and are advised to back up all important information – such as files, photography and videos. It advised businesses to test their incident responses and business resilience protocols and work with their IT departments or suppliers to educate employees on the potential threat.
Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit, said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.
“Those committing cyber crime impacting the UK are often highly-skilled and operating from abroad. To respond to this threat, the NCA is working closely with law enforcement colleagues all over the world, and developing important relationships with the private sector.”
Among those involved with the take down were security vendors CrowdStrike, Dell SecureWorks, Trend Micro and McAfee, as well as academic researchers at VU University Amsterdam and Saarland University in Germany.
Also involved were virtual private server vendor Tagadab, who successfully took down one of the supernodes responsible for issuing commands across the botnet. Managing director Steve Rawlinson, said: “The scale of this operation is unprecedented. T
his is the first time we’ve seen a coordinated, international approach of this magnitude, demonstrating how seriously the FBI takes this current threat.
“Because of the way these particular botnets work, it is very difficult to find the people behind the crime or to stop the botnet from spreading. This joint operation from law enforcement agencies, ISPs, and IT security vendors is a carefully coordinated strike designed to disable the botnet for a few days.”
Rik Ferguson, global vice president of security research at Trend Micro, said that while this blow is effective, it is not permanent and it expects the malicious networks to return to their former strength within a week, if not days.
“This synchronised unprecedented collaboration between law enforcement, ISPs and the security industry sets a new standard for that which is possible in the name of internet security,” he said. “A truly global operation, this has seen coordinated activities aimed at taking over elements of the Command & Control infrastructure used to spread these pernicious malware families, but we cannot achieve this goal alone, every computer user has their own role to play.”
Asked if this was the beginning of the end of CryptoLocker’s grip on businesses and consumers, TK Keanini, CTO of Lancope, said: “This is not the end of any Ransomware, it is the beginning of the next phase in co-evolution. Like the bust and shutdown of Silkroad, it was just the rebirth of Silkroad 2.0 which is larger and even more robust.”
Keanini said he was “extremely excited” to read of these well-coordinated and successful defensive operations, and counters how well coordinated the attackers are. “Only once in a great while do we hear about defenders coming together to disrupt these cyber crime organisations,” he said. “This raises the cost of the cyber crime business model and we need to do this more often. Leave the crime fighting to the crime fighters and businesses can just focus on business continuity.”
Rawlinson said: “The operation relies on public awareness and ultimately this is the key to its success or failure. If users fail to update their security in the window of opportunity then there’s little the FBI or anyone else can do for them.
“Consumer education is hugely important because it prevents criminals from gaining the advantage, but we need a coordinated, long-term awareness campaign backed by businesses and governments across the world if we want messages about the dangers of Trojans and malware to really hit home.”
Dwayne Melancon, CTO of Tripwire, said: “I think this
is an opportunity to make progress against a huge internet threat. Taking out the command-and-control servers of a botnet is a huge task, but will make a big difference in allowing us to gain a foothold. If users and enterprises don’t reduce their attack surface by closing the security holes, the situation really won’t get better. They’ll just be compromised by the next iteration of the botnet.”