Feeds

Fiendish CryptoLocker ransomware survives hacktivists' takedown

Proper post-op analysis would have killed it for good, says ex-rozzer

Next gen security for virtualised datacentres

An attempt by security researchers to take down command and control nodes associated with the infamous CryptoLocker malware appears to have been unsuccessful in its ultimate aim of putting the Bitcoin-hungry crooks behind the scam out of business.

Activists from the group Malware Must Die put together a list of scores of domains associated with communications channels for the malware, which encrypts files on infected machines before demanding a ransom of up to 2 BTC (worth just over $2,000 at the time of writing), before beginning a takedown operation on Sunday (1 December).

Most of the 138 targeted domains were suspended but failed to kill off CryptoLocker, which was quickly resurrected, according to anti-botnet firm Damballa.

Adrian Culley, a former Scotland Yard detective turned technical consultant at Damballa, said that the take-down effort might have been more successful with post-takedown analysis.

"It is no surprise that the announcements of the death of CryptoLocker appear to have been somewhat premature. An essential part of the process is post-takedown analysis, which may turn out to be a post-mortem, or a triage of the zombie remnants of a botnet, or may indeed confirm that the botnet is very much still alive and kicking."

"It is essential to undertake this analysis post any sinkholing activity,” continued Culley, “which does appear to have happened in this instance. CryptoLocker appears to have the same resilience as many other C&C based attacks.”

“Efficient post-mortems lead to better surgery, and this is just as true of botnet remediation as it is medically," he added.

CryptoLocker normally arrives in email as an executable file disguised as a PDF, packed into a .zip attachment. A spam run targeting millions of UK consumers prompted a warning from the UK National Crime Agency last month. For now, at least, only Windows machines can be infected by the malware.

If it successful executes, CryptoLocker encrypts the contents of a hard drive and any connected LAN drives before demanding payment for a private key needed to decrypt the data. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?