CryptoLocker racks up 250,000 infections

$3.75m revenue stream for the ransomware gang behind the code

Cryptolocker attacks up
Cryptolocker attacks up

The research arm of Dell SecureWorks reports that CryptoLocker ransomware, which first appeared just over three months ago - has notched up around 250,000 infections.

The ransomware' modus operandi is to encrypt a user's hard drive, then demand US$ 300 (£183) within 100 hours, or it will completely deny access to the files plus folders.

Allowing for even just 5 percent of victims paying this ransom to regain access to their files, this still equates to an income of £3.75 million for the cybercriminals behind the scheme – and with money demanded in Bitcoins, this figure could be even higher, owing to the (mostly) rising price of the peer-to-peer electronic currency.

Last month saw the National Crime Authority's National Cyber Crime division warning about a mass email-based attack against UK Internet users, supposedly generated by the user's bank or building as the mainstay of the campaign.

Now, according to Keith Jarvis, a senior security researcher with Dell SecureWorks' Counter Threat Unit (CTU) threat intelligence division in Atlanta, USA, successful infection rates have gone through the roof, with the majority of victims located in corporates in the UK, the US, Australia, Canada and India.

Jarvis reports that CryptoLocker is now spreading via multiple channels of propagation, including the more usual email methodology, and hides its presence from victims until it has successfully contacted a command-and-control (C&C) server and encrypted the files located on connected drives.

"The malware's network communications use an internal domain generation algorithm that produces 1,000 potential C2 domain addresses per day. The domain names contain 12 to 15 alphabetical characters and are within one of seven possible top-level domains (TLDs): com, net, org, info, biz, ru, and co.uk. An error in the algorithm prevents it from using 'z' in a generated domain name," he says in his latest analysis of the threat.

The spread of CryptoLocker appears to be global in nature, with many of the world's newswires reporting local businesses as being hit hard by the malware. In Australia, ABC News Friday evening TV news said that companies hit in that country include estate agents, Sydney council, a medical centre and the Queensland University of Technology.

Commenting on Jarvis' assessment of what is turning into a large scale headache for security professionals in enterprise environments, Fran Howarth, a senior security analyst with Bloor Research said that she and her team have recently seen a major spike in the use of ransomware, meaning that Dell SecureWork's assessment is probably just the tip of the iceberg.

"Some threat management vendors are reporting that they are seeing 200 percent quarter-over-quarter growth in the use of ransomware. However, [the success of CryptoLocker] shows that computer users are still falling for the same old tricks and are still not sufficiently aware of the dangers of opening suspicious attachments," she said.

Graham Cluley, an independent security researcher and analyst, told SCMagazineUK.com that CryptoLocker has been a pernicious threat during 2013, with many innocent users blackmailed into paying up to regain access to their data. 

"Of course, you should never pay the ransom - but it's understandable that many people have, as they are so desperate to get their valuable data back," he said, adding that victims are kicking themselves because implementing a decent backup strategy would have saved their bacon.

Cluley, who has worked for several security vendors over the last 20-plus years, went on to say that it is to be hoped that more people and businesses will wake up to the importance of making regular backups and keeping them separate from their computers.

"That way, if the worst happens, they should be able to restore their valuable data and not have to pay the crooks," he explained.

The researcher advises that users should always keep their computers protected with up-to-date anti-virus software and security patches, in order avoid similar attacks that are likely to take place in the near future.

"It's not going to be any surprise at all to see other online criminals copy the CryptoLocker business formula in 2014, and attempt to emulate its success," he concluded.

Sign up to our newsletters