Researchers find plenty more variants of the crypto-malware

Jul 21, 2014 09:57 GMT  ·  By

The recent joint operation of law enforcement agencies and private security firms that led to dismantling the Gameover Zeus and CryptoLocker botnets may not have scared off the cybercriminals completely, as new variants of the crypto malware have emerged, creating new networks of infected computers.

A recent status report from the FBI about the success of taking down the Gameover Zeus and CryptoLocker botnets in what was called Operation Tovar said that the networks had been neutralized and “cannot communicate with the infrastructure used to control the malicious software.”

However, information from security company Webroot shows that Operation Tovar was only partially successful and that threat actors could resurrect the crypto malware through new variants that have already been detected.

Webroot threat analyst Tyler Moffitt argues that Operation Tovar did not manage to seize all the servers that communicated with computers compromised by CryptoLocker variants, but only those under the control of a certain cybercriminal, who is believed to be led by Evgeniy Bogachev.

However, other threat actors would leverage this malicious code, too, which means that CryptoLocker infections are still present.

“Although Evgeniy Bogachev and his group had control of a major chunk of zeus botnets and command and control servers that deployed cryptolocker, it was certainly not all or even the majority of zeus botnets in existence.

“Most malware authors spread their samples through botnets that they either accumulated themselves (Evgeniy), or just rent time on a botnet from someone like Evgeniy (most common). So now that Evgeniy’s servers are seized, malware authors are just going to rent from some of the many other botnets out there that are still for lease,” says Moffitt in a blog post.

He also presents a set of variants (CryptoWall, New CryptoLocker, DirCrypt, CryptoDefense) found by Webroot security researchers. Most of the strains show slight improvements compared to the original code. In some cases, there is no interface announcing the lock on the files and the user finds payment instructions in plain-text files created in the folders where data was encrypted.

In other instances, the victim has to make the payment via TOR anonymity network, which is used for protecting the identity of the cybercrooks.

A new crypto malware went for sale on underground forums under the name of Critoni. The forum post, discovered by Kafeine, advertised the use of persistent cryptography that relied on elliptic curves, making decryption impossible without the keys provided by the crooks.

The general recommendation against this sort of threats is to have backups in place for all the important data. This way, if the computer is infected, the backups can be restored and no information loss occurs.