CryptoLocker returns after Operation Tovar

CryptoLocker is back and more popular than ever, less than one month on from the Operation Tovar campaign.

CryptoLocker returns after Operation Tovar
CryptoLocker returns after Operation Tovar

Back at the start of June, the National Crime Agency put out an advisory that UK computer users were at risk of a “powerful computer attack” which was down to a combination of the Gameover Zeus and CryptoLocker botnets. Zeus would infect each machine to distribute CryptoLocker, which would in turn demand payment from the user in order to return - and decrypt - their personal files.

The malware apparently hit some 500,000 PCs before the US Department of Justice (DoJ), the FBI, the NCA and Europol intervened in ‘Operation Tovar' to cut the communication between Gameover Zeus and its command and control (C&C) servers.

At the time, investigators warned that cyber-criminals would likely be up and running with new infrastructure within 'four to six weeks'. Gameover Zeus has  recently been used, with the Citadel botnet campaign, to target several small European banks.

However, new reports indicate that CryptoLocker – which is said to have compromised some 200,000 UK computers in the past, is back again, with disaster recovery solution provider Databarracks the latest in a long line of companies to warn against the threat.

“CryptoLocker is a particularly nasty piece of malware, which can have disastrous effects on an organisation and the data it holds,” said Peter Groucutt, managing director. “Staying up to date on what to look out for might sound simple but if you can recognise and avoid suspicious emails, security breaches are prevented. Also, ensure that antivirus software is kept up to date, as failure to do so leaves you vulnerable.

“Communication is essential – ensure you have clear policies in place for risk management and make sure that your teams understand the recommended procedures to follow during a breach. Finally, ensure all your data is backed up regularly.”

Examining the threat further, Groucutt even pointed to a recent incident where one of Databarracks' clients was targeted by a cyber-criminal group using the ransomware.

“Recently, we were contacted by one of our customers, Major Players – a specialist recruitment firm in the creative media and marketing space. The nature of their business means email is critical to their day-to-day operations, but despite having robust security measures in place, they were hit by a CrytoLocker attack.

“They were faced with a ransom message listing the affected files and giving a deadline to either pay up or lose them forever. As soon as their head of IT contacted us, we were able to restore all their files immediately and stop the daily scheduled backups from running, to prevent the encrypted files from overwriting the existing backups.

Bob Tarzey, director and analyst at IT research house Quocirca, told SCMagazineUK.com that the return of CryptoLocker is proof that encryption – which continues to be promoted in the face of NSA and GCHQ surveillance – can be used for bad as well as good.

“The warning is timely and reminds us that encryption is a double edged sword. The best advice here is about backup - if all data is backed up, then, whilst inconvenient, a CryptoLocker attack is little worse than a disk crash,” said Tarzey.

“However, of course, it is best to avoid such an incident in the first place, which up to date anti-malware should help with as CryptoLocker is generally used at random (i.e. is the malware is not customised and targeted to avoid standard detection techniques)."

But Tom Cross, director of security research at Lancope, suggested that this latest attack is likely to be an 'unrelated copycat attack'.

“I believe that the reports that we've been seeing over the past 24 hours are of an unrelated copycat attack, rather than a return of the real CryptoLocker malware that was targeted by Operation Tovar," he told SC.

"This copycat attack is much less sophisticated than the real CryptoLocker malware, and files that it encrypts can be recovered. This raises an important point – if your computer is infected with something that calls itself "CryptoLocker" it may not be the real McCoy, and it may be possible to recover your files. The real Cryptolocker could return at any time, and many experts are watching for its return. "

Earlier this month, other security researchers suggested that, far from fading away, the CryptoLocker family of malware was instead morphing into newer versions, such as Cryptowall and Crypto defence.

Sophos detailed how both new pieces of ransomware have increasingly been used in attacks since April. Cryptowall has the same code structure at CryptoLocker, while researchers from the firm said that cyber-criminals are experimenting with new variations of the ransomware by doing things such as moving from Windows desktop machines to mobile devices.

Indeed, one of the emerging types of mobile ransomware is ‘Simplelocker', which encrypts files and demands a ransom from Android-toting users. Simplelocker uses the TOR (The Onion Router) to obfuscate communications with the malware's C&C server.