When an international law enforcement action earlier this month knocked out theGameover botnet, one happy consequence was the takedown of the servers that the CryptoLocker ransomware needed in order to do its dirty work.
Well, any celebration over CryptoLocker’s demise is certainly premature – encrypting ransomware is alive and well.
With many victims paying up, ransomware is a lucrative business for the crooks, and CryptoLocker has inspired copycats who want in on the loot.
Cryptowall and Cryptodefense
New variants of file-encrypting ransomware called Cryptowall and Cryptodefense have been popping up since at least April 2014.
SophosLabs threat researcher Anand Ajjan says Cryptowall has the same code as Cryptodefense, and only differs in the name.
If you see a message like the one below, you’re in trouble – many, if not most, of the data files on your hard drive or any connected drives will be scrambled, and it’s simply not practicable to crack the encryption used by the crooks.
(You don’t have to pay, of course. Despite losing data, police in the New Hampshire town of Durham showed a bit of public resistance to the crooks, announcing that they were “definitely not paying any ransom.”)
The message gives instructions on how to use the Tor anonymizing proxy to access a website where you can pay to unlock your files:
- HPmal/Ransom-I: the Cryptowall/Cryptodefense malware itself.
- Troj/ExpJS-KX: web pages containing the RIG exploit kit.
- Mal/Generic-S and Mal/ExpJava-AF: other exploit kit pages associated with this threat.
What’s next for ransomware?
The trend has spread to Apple devices too.
Some hackers calling themselves Oleg Plissused stolen Apple IDs to lock iPhones, iPads and Macs using the Find My iDevice feature, with a lock screen message demanding payment to restore access to your device.
Russian police arrested a pair of hackers from Moscow who pulled this trick on Russian victims, but it’s worth assuming that others may try this scam again in the future.
There’s a loophole in this iDevice ransom attack to get around paying (if you lock your device with a passcode, you can just enter it to unlock it) – but it might not be too long before the crooks figure out other methods.
How to stay safe from ransomware
In the cat-and-mouse game between hacker gangs and law enforcement agencies, the crooks are often tricky to bring to justice.
As part of the recent CryptoLocker takedown, for example, US law enforcement formally charged a Russian man called Evgeniy Mikhailovich Bogachev with fraud and racketeering offences, but so far he remains at large.
The FBI notes rather wryly in its Cyber’s Most Wanted pages “Bogachev was last known to reside in Anapa, Russia. He is known to enjoy boating and may travel to locations along the Black Sea in his boat. He also owns property in Krasnodar, Russia.”
Nevertheless, the security industry is doing its part, and you can too.