Has CryptoLocker been cracked? Is Gameover over?


Gameover, also known as Gameover Zeus, is one of the most notorious botnets of recent times, used to grab covert control of innocent users’ computers and to “borrow” them to carry out cybercrime on a giant scale.

The best-known criminal functionality of Gameover is probably its banking-related trickery, where it keeps track of what your computer is doing online until you start some sort of financial transaction.

Then the malware comes alive and grabs the personal information that you type in, such as your username and password, and may even be able to intercept the one-time passcode sent by your bank (what is known as two factor authentication).

Once intercepted, that information is often enough for the crooks to to conduct fraudulent transactions, and with estimates that hundreds of thousands of computers were infected with the Gameover “bot” at any time, the crooks made off with millions of ill-gotten dollars.

In fact, the United States Department of Justice (DoJ) suggests that the Gameover crooks have stolen more than $100,000,000 from users in the US alone.

The DoJ also estimates that US users who have lost money to Gameover make up just 25% of victims worldwide, so we could be looking at global losses of up to half a billion dollars.

But that’s not all.

The Cryptolocker menace

CryptoLocker is the poster child (a “Wanted” poster, that is) of the ransomware scene, scrambling all your data and then giving you three days to come up with $300 to buy the key to unscramble it.

In the past, we’ve seen file-encrypting ransomware that could be “counter-cracked”, thanks to cryptographic blunders by the crooks, such as leaving temporary copies of the decryption key on your computer, or neglecting to wipe out the original files after scrambling them.

No such luck with CryptoLocker.

Every time an infected computer calls home to one of the CryptoLocker servers, the crooks generate an RSA key pair, consisting of a public and a private key, on the server.

In public-key cryptography, what the public key locks, only the private key can unlock. (And you can’t compute the private key from the public key because of the way the mathematics works.)

So the crooks send your computer the public key; their malware locks up your files with it; and that’s that: the private key never, ever exists on your computer, neither on disk nor in memory.

If you don’t have a backup and you need to decrypt your data, you have no choice but to buy a copy of the private key from the crooks.

The DoJ suggests that the crew behind CryptoLocker raked in $27,000,000 in September and October 2013 alone, in the first two months that the malware was widely reported.

Another measure of the malware’s malevolence came from a survey by the University of Kent in England, which concluded (these are eye-watering statistics) that about 1 in 30 Britons had been hit by CryptoLocker, of whom 40% paid over the blackmail money.

Gameover and CryptoLocker in concert

These two families of malware are often discussed together because Gameover, which gives its operators the power to upload new malware to already-infected computers, has been one of the ways by which CryptoLocker was distributed.

In other words, the crooks could milk you using Gameover; as soon as they thought they’d squeezed everything they could out of the Gameover part, they could “upgrade” you to CryptoLocker and sting you for a final $300.

With a 40% success rate against victims in the UK alone, if the University of Kent has it right, that’s quite some sting.

The takedown

So here’s the good news: the DoJ today announced a string of legal and technical assaults on the criminal infrastructures of these two malware families.

Very briefly summarised, US law enforcement has done the following:

07 May 2014. With co-operation from the Ukrainian authorities, seized and copied key Gameover command servers in Kiev and Donetsk. If the core servers in a botnet can’t push put “what to do next” instructions to the zombie computers under their control, the botnet is seriously disrupted.

19 May 2014. Filed sealed criminal charges against a Russian national called Evgeniy Mikhailovich Bogachev, aka Slavik, aka Pollingsoon, for a raft of serious offences.

28 May 2014. Got a civil court order against Slavik and four other unnamed co-conspirators, thus permitting law enforcement legally to redirect Gameover traffic into a server specificed by the court.

Then, the “traceback” could begin, with the FBI and numerous operational partners in the US and in Europe identifying core computers in the botnet control infrastructure, and seizing servers in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and the UK.

Servers critical to the operation of CryptoLocker were seized at the same time, which did some serious damage to the CryptoLocker scam, too.

If your computer fails to “call home” for the public key mentioned earlier, CryptoLocker can’t scramble your data, giving you time to find and destroy the malware before any costly damage is done.

Unity is strength

To remind you just how much work goes into an operation of this sort, it’s worth repeating the names of the law enforcement agencies around the world that were officially named by the DoJ as having been part of this takedown.

Here they are:

The Australian Federal Police; the National Police of the Netherlands National High Tech Crime Unit; European Cybercrime Centre (EC3); Germany's Bundeskriminalamt; France's Police Judiciare; Italy's Polizia Postale e delle Comunicazioni; Japan's National Police Agency; Luxembourg's Police Grand Ducale; New Zealand Police; the Royal Canadian Mounted Police; Ukraine's Ministry of Internal Affairs – Division for Combating Cyber Crime; and the United Kingdom's National Crime Agency participated in the operation. The Defense Criminal Investigative Service of the U.S. Department of Defense also participated in the investigation.

Quite a list!

So, if you’ve ever wondered, “Why don’t the cops just pop round to the botmaster’s house and shut the whole thing down?”, this list might help answer your question.

What happens next?

The next stage – the part of the operation that is the duty of all of us – is to dismantle the rest of the botnet, by progressively disinfecting all the zombie-infected computers that made the Gameover and Cryptolocker “business empires” possible in the first place.

US-CERT has come up with a whole list of free tools so you can do just that, and (if you are the go-to person for IT problems amongst your friends and family) so that you can help others, too.

I’m delighted to say that the Sophos Virus Removal Tool is amongst the recommended cleanup utilties.

It’s a free download; you don’t have to uninstall your existing anti-virus first; and it detects and cleans the same malware, including rootkits, that Sophos Anti-Virus knows about, not just CryptoLocker.

Why not try it and see by scanning your home PCs today?

As we’ve said before, if you don’t make an effort to clean up malware from your own computer, you aren’t part of the solution, you’re part of the problem.

Click to go to download page...