Finally, John Bambenek and Lance James touch upon Operation Tovar that ended CryptoLocker campaign, and dwell on the lessons learned from this whole incident.John Bambenek: Operation Tovar, going on to takedown (see right-hand image). Law enforcement agencies of 13 countries and lots of individuals and organizations participated. This took Gameover ZeuS and CryptoLocker offline whole and entire. As of this writing, CryptoLocker is dead and has not yet to emerge (see left-hand image). There are some GOZ attempts out there. We don’t think there are any victims, but it’s clear that the bad guys are probing what we’re doing to see how we’re doing to prevent them from coming online, to see what registrars, what techniques they can use to get outside of our visibility. Again, we are providing near-time surveillance of that, too. The domains are being taken down. So, did it work? Yeah. The reason? Law enforcement was involved, private sector was involved – there are true partners. But there was a lot of intelligence footwork done (see right-hand image). What’s the collateral damage? How will they react to it? Going into it, we know what’s going to happen. We ended up waiting on the CryptoLocker takedown and merged it with GOZ, for reasons we already talked about (see left-hand image). But we spent a lot of time talking about the impact. What happens if we take the server of the private keys offline? Well, victims can no longer pay. You know, that is something that’s relevant. That’s a slower process than I would like, but it’s there. That said, as of about 6 hours after writing this slide, there is Decrypt CryptoLocker which uses techniques to, basically, decrypt those files. So, if you have a victim, even going back to August or September, now there’s a means to recover those files if they didn’t pay.
Lance James: And again, that’s a combination of the seized drives themselves working with the industry. Just visit decryptcryptolocker.com. I think Fox-IT and FireEye kind of worked together, and I’m sure law enforcement in Europe did as well. That’s exactly the kind of thing we are wanting to see more of.John: How these techniques fail is somebody goes it alone, doesn’t care about collateral damage and breaks everything (see right-hand image). They burn before pillaging. In the absence of the rule of law, all you have left is tribal justice. But that makes it hard for people to do well-thought-out takedowns. Regarding the future of ransomware (see left-hand image), you know, CryptoLocker is dead, but it captured the imagination. There will be other things out there. There are a couple of examples out there (see right-hand image). There is a technique of locking iPhones for ransom using the Find My iPhone service. There was a cloud service company where somebody basically said, “Pay us this, or we’re going to delete all your stuff.” They didn’t pay the ransom, and an entire company went out of business. So, protecting cloud services matters, that’s an extortion-based attack. There are couple of other things that use Tor and Bitcoin.
Conclusion of every security talk ever given in the history of security: “Technology is risky and people don’t like you.”