Gameover Zeus and Cryptolocker Takedowns

Published: 2014-06-02. Last Updated: 2014-06-02 19:48:07 UTC
by John Bambenek (Version: 1)
5 comment(s)

By now many you have already read the reporting on Brian Krebs on the Gameover Zeus (GOZ) and Cryptolocker takedowns (or more accurate, disruptions). You can read the US Justice Department's court documents here which include a named suspect behind the operation of GOZ. This is the result of large-scale multijurisdictional law enforcement cooperation and work from the private sector.  The TL;DR version is that as of this moment, Gameover Zeus has been disrupted and can no longer control clients.  In the case of Cryptolocker, new victim machines can no longer communicate with command and control (C2s) servers which means files will not be encrypted.  If your files are already encrypted, these is no change as once the files are encrypted there is no other communication that is necessary with the C2s unless you are paying the ransom. This, unfortunately, is likely temporary in nature (between 2 weeks and 6 months depending on the specific circumstances).

One thing that would be helpful is that if you observe new GOZ or Cryptolocker infections, please write in with details so they can be analyzed.

Thanks!

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

5 comment(s)

Comments

"these is no change as once the files are encrypted there is no other communication that is necessary with the C2s unless you are paying the ransom."

So does that mean for the time being; users can no longer pay the ransom and decrypt their files.?

Of course this may also be a win in the whole, as it disrupts the malicious actor's rogue business model.
However, those who have lost vital data, did not have proper backups, and chose to pay the ransom might have some cause for complaint.
We can confirm from valid sources that the disruption involved registered DGA domains, confiscating servers, and arrest warrants. One can speculate on 'confiscating servers' in that authorities would have access to keys?

~Richard
I wouldn't rely on it that paying the ransom really gives you the decryption keys.
If they just scammed you of of your money - who would you complain to anyways?
You should not forget to mention that government-backed organizations have set up sites that allow you to scan your computer for this type of malware, such as: http://www.getsafeonline.org/nca/
I have a client that was hit by cryptolocker on 6/6/2014. If he decides to pay, will the unlock process get completed?

Diary Archives