Cryptolocker is dead, the owners are trying to discover what the authorities know and don’t be surprised to find more variants out there.
Speaking at the Black Hat conference in Las Vegas, security consultant John Bambenek praised the global effort in taking down the GameOver Zeus, but said that this followed a distinct lack of communication.
He said that at one point, there were four different working group for Cryptolocker and when they were brought together it collected 160 people who “all brought their special skillset”. He said: “We had 300 transistor–transistor logic (TTL) on the domains and that is where the intelligence value is, and it doesn’t give you any real information, but you can get into the mind of the attacker to deliver intelligence.”
He said that after the takedown in June, it sinkholed one out of every 125 domains, and we need to be better at reverse engineering. He said: “Operation Tovar took down GOZeus and took Cryptolocker offline, and effectively drew a line under it and despite some attempts, there have been no more victims. The bad guys are probing and want to see what we are doing as it is outside their visibility.
“The takedown worked, but it required a lot of intelligence to be done and from the collateral damage, we know what is going on and what will happen.” However Bambenek said that takedowns do not work when we “work like vikings and tear things down”, and we need more well thought-out takedowns.”
He later said that “ransomware is dead but it captured the imagination”, and said that there is new ransomware for iPhones using the “Find my iPhone”, or using Tor. “There are more problems than people solving them, and the takedown worked as there were people on it, even though the short term doesn’t yield long term results.”
Speaking to IT Security Guru, Bambenek said he believed that Cryptolocker is dead and there is a new variant of GOZeus, but it was unclear if it was the same person behind it. “There was a domain registered from the Cryptolocker domain but in May, and that goes back to seeing what we are surveilling and tryng to poke at it,” he said.
“I think right now, the one who is indicted he is out of the business now, but there are people using some of his techniques to see if they can get around it,” he said.
He denied that they were copycats, but there are more directives there, but plenty will be influenced “as some are developing kits to commoditise it, which is a different problem.”
Asked what he
thought of the sophistication of the attacker and those behind Cryptolocker, Bambenek said that there was an overlap of clever people who did not invest the fullness of their skills to manage Cryptolocker and could have done better, but they were making so much money so why bother?
