The recent move by law enforcement agencies to take down the GameOver Zeus botnet has also dramatically reduced infection rates for the infamous CryptoLocker ransomware. However, experts caution that CryptoLocker's demise might only be temporary, and that the threat ransomware poses to enterprises may only be growing.
CryptoLocker is known for its use of commercial-grade RSA encryption to lock files on victims' machines -- and for the somewhat unusual fact that victims have actually received the keys to unlock their files after the attackers extorted payments from them.
Right now, ransomware and click fraud seem to be the highest ROI [attackers] have.
director of threat research, Damballa
In a statement last week, James Cole, deputy attorney general with the U.S. Department of Justice (DOJ), provided some indication of just how much damage CryptoLocker has wrought in the short time it has been active.
The ransomware strain has infected more than 200,000 computers worldwide, according to Cole, with at least half of those infections occurring within the United States. The DOJ estimated that the malware authors behind CryptoLocker raked in more than $27 million in ransom payments in just in the first two months of their operation.
Those profits are likely to take a dramatic hit with the successful takedown of the GameOver Zeus botnet, the main distribution vehicle for CryptoLocker. The DOJ said traffic from more than 300,000 machines infected by the peer-to-peer botnet had been redirected to servers controlled by law enforcement agencies around the world, and that number is expected to increase as more PCs connect to the Internet.
Danish security vendor Heimdal Security, which has provided technical support to the FBI in tracking the CryptoLocker ransomware, said it saw up to 8,000 new CryptoLocker infections per day in May, but that number has dropped to nearly zero since the GameOver Zeus operation.
Despite those successes, the FBI and other law enforcement agencies have warned that GameOver Zeus -- and CryptoLocker -- are far from dead. That's because GameOver operates on a decentralized P2P network, meaning cybercriminals could still rebuild the botnet and resurrect already-infected machines. The FBI has urged citizens to take the necessary steps to clean possible GameOver Zeus infections off their machines within two weeks of the takedown, or risk having sensitive information stolen by a newly reconstituted botnet.
Jeremy Demar, director of threat research for Atlanta-based Damballa Inc., and who participated in the FBI sinkholing operation, said most botnet takedowns do nothing more than add cost for attackers, though this particular situation may be more effective due to the accompanying arrests -- 30-year-old Russian national Evgeniy Bogachev was charged with being an administrator for the GameOver Zeus botnet.
Regardless of its fate, Demar said CryptoLocker -- along with other ransomware variants -- was such a runaway success that it would be incomprehensible for attackers to move away from ransomware.
"Crime is a business, so attackers are going to go wherever the highest return on investment [ROI] is," Demar said. "Right now, ransomware and click fraud seem to be the highest ROI they have, so they'll continue to pick up in these areas."
CryptoLocker not the only game in town
Indeed, one only has to look beyond the public exploits of CryptoLocker to find a thriving ransomware market more than capable of sustaining its success -- with or without CryptoLocker's revival.
For instance, in a blog post last month, Symantec Corp. detailed a well-known CryptoLocker imitator called CryptoDefense, which also uses RSA 2,048-bit encryption. Though unlike CryptoLocker, CryptoDefense's encryption is fatally flawed because the private key used by the authors is still stored on the victim's machine. Despite that oversight, and only being active since February, Symantec noted that CryptoDefense had taken in the equivalent of $34,000 in Bitcoins in just one month.
Crytpowall, another CryptoLocker competitor, recently made headlines when Durham, New Hampshire Town Manager Todd Selig announced the ransomware variant had infected computers at the city's police department. The financial success of Cryptowall is not clear, but researchers from Cisco Systems Inc. detailed how they were forced to block requests to more than 90 domains for 17% of their Cloud Web Security gateway customers after Cryptowall was attached to the RIG exploit kit. Cisco's researchers also noted that Cryptowall's ransom demand had been increased to $600.
More encryption-based ransomware variants were always likely to appear in the wake of CryptoLocker, said Demar, but law enforcement-style malware, which relies on scaring victims with warnings that a police agency might investigate the user for shady material unless they pay a ransom, is also steadily growing.
In particular, Demar and the researchers at Damballa have been following the activities of the Kovter ransomware, which preys on visitors to adult-themed websites -- though may also fabricate browsing histories -- and demands a payment of around $300 to avoid fines and possibly jail time. Demar said Kovter infections leaped from a minimal number in March to 7,000 in April, and then doubled in both May and June.
Ransomware variants have been on the rise for the past 18 months, Demar said. "Criminals are finding it's very easy to make money with it and are adopting it quickly."
Next up: Mobile ransomware
Not surprisingly, Demar expects ransomware to follow the path laid out by other endpoint-focused malware by transitioning to mobile platforms, particularly Google's Android operating system.
Yair Amit, chief technology officer for Israel-based mobile security vendor Skycure, agreed with that assessment, noting that a majority of the ransomware attempts he has seen on Android have been of the law enforcement variety.
Encryption-based ransomware would be difficult to execute effectively on mobile platforms for a variety of reasons, according to Amit, including the lack of processing power available on such devices and the manner in which the platforms silo applications. However, researchers at antivirus vendor ESET have uncovered a file-locking ransomware variant targeting Android, Amit noted, dubbed Simplelocker, which is capable of encrypting a number of file types, including various image and video files, and even files stored on SD cards.
ESET researchers discovered Simplelocker as part of an app called Sex xionix, which is not currently available on the Google Play Store -- and thus not likely to affect Android users sticking to official channels for apps -- but for Amit, the ransomware variant is part of a clear trend.
"We're seeing a delay in how effective encryption-based ransomware is on mobile devices," Amit said. "We do know about many vulnerabilities that can allow existing malware on a device to escalate its privileges, and therefore be able to have a much deeper fingerprint of control over the data of other applications."