Before it was initially defeated last month, the CryptoLocker ransomware had infected more than 200,000 computers worldwide, with at least half located in the U.S., and the criminals behind CryptoLocker took in more than $27 million in ransom payments in just the first two months of operation.
Now, a pair of experts is prepared to explain how the information security community, in tandem with law enforcement, put down the most sophisticated ransomware variant yet.
At the upcoming Black Hat USA 2014 conference in Las Vegas, Lance James, head of cyber intelligence for consulting giant Deloitte, and John Bambenek, president and chief forensic examiner for Bambenek consulting, will detail the formation of the CryptoLocker working group, which, despite its name, was formed to help combat the general rising tide of ransomware.
In an interview prior to the event, which runs Aug. 6-7, James said his interest in CryptoLocker stemmed from another organization's encounter with the ransomware variant. James said that when the Deloitte team analyzed the attack, they were immediately surprised by the quality of the encryption implementation: CryptoLocker was known for its use of commercial-grade 2,048-bit RSA encryption, perhaps the first time a ransomware strain had used cryptography properly.
Lance Jameshead of cyber intelligence, Deloitte
"Five years ago, we were all worried about [encryption-enabled ransomware] happening a lot sooner," said James. "Well, it finally happened."
As the CryptoLocker threat continued to grow rapidly, James said the pair moved to form the CryptoLocker working group and contacted other experts in the security industry that could help with sinkholing botnets, reverse-engineering malware and the like. With a team in place, James said several experts began working on reversing CryptoLocker's code to spot weaknesses.
Fighting CryptoLocker with reverse sinkholing
First, James said the group discovered that CryptoLocker couldn't encrypt data when it was unable to connect to a legitimate domain and retrieve the necessary encryption key, even if it had already infected a target machine. That meant that CryptoLocker infections could effectively be mitigated if organizations could block the randomly created domains being pumped out by its domain generation algorithm (DGA).
The group next worked on reversing CryptoLocker's DGA, which, according to James, led to an unusual discovery: the suspect domain generation algorithm had been used before as part of the Macintosh-focused Flashback malware, and upon further inspection, that very same algorithm was included in the Wikipedia entry for "domain generation algorithm."
CryptoLocker's DGA was also creating domains based on the time of day, James said, so armed with knowledge of the algorithm, the group was able to predict which domains would be generated on a daily basis. The group created lists of predicted domains that could be circulated out, though not in advance, and then took the proactive step of registering future CryptoLocker domains before they were created, a move that James said didn't require funds because the cost for registering fraudulent domains is often waived.
"We created a year of the domains based on the domain generation, and then we put those out and started registering [the domains], and basically making sinkholes all over the world," said James. "Over time, we actually increased that so much that we pretty much shut the thing down."
With CryptoLocker's infrastructure essentially crippled, James expected, and indeed hoped, that its backers would replace the compromised DGA with a new algorithm. In doing so, infections would slow while CryptoLocker's authors retooled the code, said James. After the new DGA was implemented, the working group could always reverse that algorithm and force the criminals to start from scratch, he added, essentially tiring them out.
That strategy ultimately wouldn't have been required though, according to James, because separate measures were concurrently being taken to eliminate the GameOver Zeus malware, the only distribution method for CryptoLocker.
"CryptoLocker literally did not last a year," said James. "They were very successful in that time, but the actions from the community and law enforcement worldwide were amazing."
Fighting CryptoLocker copycats
While CryptoLocker may be gone, James said that the success of the ransomware would inevitably lead to copycats like CryptoWall, though so far, other attackers have been unable to replicate CryptoLocker's sophisticated use of encryption.
Regardless, enterprises need to be prepared for future ransomware attacks. For one, organizations need to have regular, reliable backups of all their important data, James said, and as ransomware variants have been spotted attempting to encrypt local backups, data redundancy should be guaranteed by either moving to cloud or at least the corporate network.
James said that companies should also monitor and even block user attempts to connect to Tor network, used commonly for anonymous Web surfing or deep Web navigation, because attackers are using it to obscure malicious traffic. Likewise, enterprises could monitor their networks for thousands of unresolved domain searches, he added, because most domains used as part of botnet infrastructures will be unavailable or sinkholed.
Perhaps most importantly, James said he hopes the Black Hat presentation serves to reduce some of the paranoia surrounding ransomware among users, and simultaneously encourage IT security teams to understand that ransomware infections aren't necessarily the fault of the user.
"A lot of people are absolutely terrified of ransomware. I've literally seen communications from the people that pay the ransom and they're like, 'This is my work computer. I'm going to get fired for this,'" said James. "Don't panic. Focus on just getting help from your information security team at your business."
For more on fending off ransomware attacks like CryptoLocker, resident threat expert Nick Lewis details some of the basic precautions enterprises need to take for prevention and recovery.