Quantcast

The New Scourge of Ransomware 6: CryptoLocker Takedown

Finally, John Bambenek and Lance James touch upon Operation Tovar that ended CryptoLocker campaign, and dwell on the lessons learned from this whole incident.

Operation Tovar

Operation Tovar

John Bambenek: Operation Tovar, going on to takedown (see right-hand image). Law enforcement agencies of 13 countries and lots of individuals and organizations participated. This took Gameover ZeuS and CryptoLocker offline whole and entire.

Measuring success

Measuring success

As of this writing, CryptoLocker is dead and has not yet to emerge (see left-hand image). There are some GOZ attempts out there. We don’t think there are any victims, but it’s clear that the bad guys are probing what we’re doing to see how we’re doing to prevent them from coming online, to see what registrars, what techniques they can use to get outside of our visibility. Again, we are providing near-time surveillance of that, too. The domains are being taken down.

Combined efforts did the trick

Combined efforts did the trick

So, did it work? Yeah. The reason? Law enforcement was involved, private sector was involved – there are true partners. But there was a lot of intelligence footwork done (see right-hand image). What’s the collateral damage? How will they react to it? Going into it, we know what’s going to happen.

Nuances involved

Nuances involved

We ended up waiting on the CryptoLocker takedown and merged it with GOZ, for reasons we already talked about (see left-hand image). But we spent a lot of time talking about the impact. What happens if we take the server of the private keys offline? Well, victims can no longer pay. You know, that is something that’s relevant. That’s a slower process than I would like, but it’s there. That said, as of about 6 hours after writing this slide, there is Decrypt CryptoLocker which uses techniques to, basically, decrypt those files. So, if you have a victim, even going back to August or September, now there’s a means to recover those files if they didn’t pay.

Lance James: And again, that’s a combination of the seized drives themselves working with the industry. Just visit decryptcryptolocker.com. I think Fox-IT and FireEye kind of worked together, and I’m sure law enforcement in Europe did as well. That’s exactly the kind of thing we are wanting to see more of.

Factors of failure

Factors of failure

John: How these techniques fail is somebody goes it alone, doesn’t care about collateral damage and breaks everything (see right-hand image). They burn before pillaging. In the absence of the rule of law, all you have left is tribal justice. But that makes it hard for people to do well-thought-out takedowns.

Likely evolution of ransomware

Likely evolution of ransomware

Regarding the future of ransomware (see left-hand image), you know, CryptoLocker is dead, but it captured the imagination. There will be other things out there.
New crypto threats

New crypto threats

There are a couple of examples out there (see right-hand image). There is a technique of locking iPhones for ransom using the Find My iPhone service. There was a cloud service company where somebody basically said, “Pay us this, or we’re going to delete all your stuff.” They didn’t pay the ransom, and an entire company went out of business. So, protecting cloud services matters, that’s an extortion-based attack. There are couple of other things that use Tor and Bitcoin.

CryptoLocker is dead, but it captured the imagination.

Emerging extortion tactics

Emerging extortion tactics

On to the techniques – I think DGAs will be out there for a while (see left-hand image). Tor and Bitcoin will still be used. Bitcoin provides a lot of benefit to the bad guys even if it’s not accessible to everybody.

Expanding the tools' usage scope

Expanding the tools’ usage scope

Lance: Most of the ransomware techniques are really about resiliency and staying persistent: Bitcoin, anonymity, disabling shadow volume copies to prevent recovery and things like that.

To-do list

To-do list

John: Absolutely. The good news is that a lot of the intel tools that we developed for this can simply be used for other threats (see right-hand image above). We’ve got a to-do list of other things we want to continue working on (see left-hand image).

Call to action

Call to action

Here’s the call to action: there are more problems than there are people to solve them (see right-hand image). This takedown worked because a lot of people contributed their time, their effort and their skills to it, even if it wasn’t full-time work. Again, the short-term actions – okay,
A final thought

A final thought

I blocked this from my network, let’s move on – might yield value for an organization, but they don’t yield long-term results. If you would like to help us with this, get in touch with us.

Conclusion of every security talk ever given in the history of security: “Technology is risky and people don’t like you.”
 

Read previous: The New Scourge of Ransomware 5: Human Intelligence Findings on CryptoLocker

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: