Feds declare big win over Cryptolocker ransomware

Even as security researchers reported that the hacker gang responsible for the Gameover Zeus botnet have begun distributing new malware, U.S. government officials last week claimed victory over the original and said that the Cryptolocker ransomware it had been pushing has been knocked out.

On Friday, July 11, the Department of Justice (DOJ) filed a status update with a Pennsylvania federal court, telling the judge that both the Gameover Zeus botnet and Cryptolocker “remained neutralized.”

“Analysis to date indicates that all or nearly all of the active computers in the [Gameover Zeus] network are communicating exclusively with the substitute server established pursuant to this Court’s Orders,” the document stated.

In early June, the DOJ, along with law enforcement agencies in several other countries, grabbed control of the Gameover Zeus botnet, and filed both criminal and civil charges against the alleged administrator of the botnet, Evgeniy Bogachev, a Russian national who remains at large.

Cryptolocker, a type of “ransomware” — the term for extortion malware that encrypts files and then tries to convince users to pay to decrypt them so they can again be opened — was distributed exclusively by Gameover Zeus.

The disruption of the original Gameover Zeus, and cleanup efforts by various countries’ computer security response teams, or CIRTs, and Internet service provides (ISPs), have reduced the number of infected PCs by more than 31%, the DOJ said in the Friday report. More than 137,000 machines remain infected, however.

“Government testing of Cryptolocker malware samples has confirmed that Cryptolocker is no longer able to encrypt newly infected computers and, as a result, is not currently a threat,” the prosecutors added. “Cryptolocker must communicate with its command and control infrastructure in order to encrypt newly infected computers. As of today, the injunctive relief ordered … knocked all of Cryptolocker’s infrastructure offline, and has thereby neutralized Cryptolocker.”

Court orders last month allowed authorities to seize the servers that issued commands to Gameover Zeus and Cryptolocker, and to redirect infected PCs’ requests for instructions to government-controlled servers instead.

Bogachev, who was put on the FBI’s Cyber Most Wanted List last month, has not been arrested. Bogachev joined four members of the People’s Liberation Army (PLA), China’s military, who were accused of digital spying in May, on the FBI’s list.

But even as the DOJ gave the federal judge the Gameover Zeus/Cryptolocker update, experts said that the cyber security gang behind the botnet was at it again.

According to Dell SecureWorks’ Counter Threat Unit, those responsible for the original Gameover Zeus have begun seeding new malware via spam since at least July 10.

The hackers, no longer able to access their command-and-control servers once authorities seized the systems last month, have created an alternate that relies on a more centralized infrastructure, said SecureWorks.

The group’s reappearance was not a surprise: Security professionals had predicted that the government’s June takedown would not permanently stamp out either the gang or put an end to ransomware, which has a rich history, literally and figuratively, going back at least nine years.

In the report filed with the federal court, the DOJ said it would issue another status update on the original Gameover Zeus botnet and Cryptolocker malware infections on Aug. 15.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer, on Google+ or subscribe to Gregg’s RSS feed. His email address is gkeizer@computerworld.com.

Read more about security in Computerworld’s Security Topic Center.