CryptoLocker's crimewave: A trail of millions in laundered Bitcoin

CryptoLocker's crimewave: A trail of millions in laundered Bitcoin

Summary: CryptoLocker has infected an estimated 250,000 victims, demands an average $300 payout, and is trailing millions in laundered Bitcoin. Dell SecureWorks' new paper sheds light on the unstoppable ransomware.

SHARE:
TOPICS: Security, Dell, Malware
97

Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each, and millions in laundered Bitcoin have been tracked and traced to the ransomware's money runners.

Spreading like wildfire from offices to homes, it arrives in email attachments (or over infected networks) to aggressively encrypt all files on a system (including mapped drives, Dropbox files, and all locally connected, network-attached, or cloud-based storage) - while an ominous onscreen timer demands payment within 72 hours.

cryptolocker ransomware

Mess with the files or decline to pay and forget about ever opening your files again.

To date, no one has successfully defeated CryptoLocker. The Windows-only ransomware has held rapt the attention of malware fetishists since its formal appearance in September.

The Swansea, Massachusetts police department was hit in November.

The officers paid CryptoLocker's ransom. Police Lt. Gregory Ryan told press that his department shelled out around $750 for two Bitcoin on November 10 - even then admitting his department had no idea what Bitcoin is, or how the malware functioned.

One Bitcoin address, one million dollars in a day

Dell's CryptoLocker report cites a Computer Science thesis from an Italian grad student who looked at a few known CryptoLocker Bicoin payment addresses while examining BitIodine.

The thesis reported a stunning take for one CryptoLocker address on one day:

In total, we identified 771 ransoms, for 1226 BTC (approximately USD 1,100,000 on December 15, 2013).

After tracing another Bitcoin address belonging to CryptoLocker and watching it move over six million dollars they concluded, "This suggests that our estimate of their racket is very conservative."

Dell SecureWorks released its detailed report on CryptoLocker Ransomware Wednesday, cementing what several researchers already knew about CryptoLocker's cruelly smart extrotion system. 

Dell's unwillingness in its paper to estimate precise ransom payment statistics has confused press reports thus far: many articles incorrectly report $30 million (beginning with this updated URL, now citing an obviously incorrect $300K).

On our examination of Bitcoin addresses shared by victims online, the real number is likely in the hundreds of millions.

SecureWorks admits the true payout number is "very likely many times that" which its own paper suggested.

Bitcoin is "most cheap option"

CryptoLocker is criminally simple - and strangely eloquent, if you're a supervillain. 

Dell's researchers estimate that between 200,000 and 250,000 systems were infected globally in the first 100 days after CryptoLocker's release.

Carbonite, a cloud backup service, was reported in November to have been dealing with "several thousands" of phone calls from CryptoLocker-infected victims, and now have a dedicated team dealing with CryptoLocker recoveries.

In research for this article ZDnet traced four bitcoin addresses posted (and re-posted) in forums by multiple CryptoLocker victims, showing movement of 41,928 BTC between October 15 and December 18.

Based on the current Bitcoin value of $661, the malware ninjas have moved $27,780,000 through those four addresses alone - if CryptoLocker cashes out today.

If CryptoLocker's supervillans cash out when Bitcoin soars back up to $1000, like it did on November 27... Well, $41.9 million isn't bad for three months of work.

Many victims believe that CryptoLocker briefly moved its ransom sums through Bitcoin addresses to launder the bounty; just-dice.com was repeatedly cited as a digital "mixer" point.

The malware doesn't appear to the victim until all files are successfully encrypted (and in case you thought it was safe to proceed, you're not: CryptoLocker periodically scans for new files). 

CryptoLocker hides its presence from victims until it has successfully contacted a command and control (C2) server and encrypted the files located on connected drives.

Prior to these actions, the malware ensures that it remains running on infected systems and that it persists across reboots.

When first executed, the malware creates a copy of itself in either %AppData% or %LocalAppData%. CryptoLocker then deletes the original executable file.

Then, your files are swiftly and silently owned.

The encryption process begins after CryptoLocker has established its presence on the system and successfully located, connected to, and communicated with an attacker-controlled C2 server. This communication provides the malware with the threat actors' RSA public key, which is used throughout the encryption process.

(...) Instead of using a custom cryptographic implementation like many other malware families, CryptoLocker uses strong third-party certified cryptography offered by Microsoft's CryptoAPI.

By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent.

Dell's paper suggests CryptoLocker's puppetmasters are in Russia and Eastern Europe, with primary targets in the United States, as well as other English-speaking countries.

A "bastard and fiendish" idea

When all files have been encrypted, each victim is then presented with an ugly splash screen with an ominous countdown timer, demanding payment.

CryptoLocker honors ransom payments.

Upon submitting payment, victims' computers no longer show the threatening countdown screen and instead see a new payment activation window.

In Dell's words, "During this payment validation phase, the malware connects to the C2 server every fifteen minutes to determine if the payment has been accepted. According to reports from victims, payments may be accepted within minutes or may take several weeks to process."

If you didn't pay, you gave up your files - and any new ones you made on your system after infection. To date, no one has successfully recovered files after CryptoLocker infection - unless they paid the ransom.

CryptoLocker's ransom amount has varied since its debut in September, but currently sits at $300 (USD) and 300 Euro - the ransom price is typically listed in cash currency, and Bitcoin.

Bitcoin instability over the past few months has prompted CryptoLocker's masterminds to reduce the ransom to 1 BTC, 0.5 BTC, and then to where it is currently: 0.3 BTC.

At first, CryptoLocker included [two known] static bitcoin addresses for everyone who was infected. The current versons of CryptoLocker dynamically generate new bitcoin payment addresses for each infection instance.

CryptoLocker cares

In early November, CryptoLocker's clever writers added a new feature called the CryptoLocker Decryption Service.

SecureWorks explained, "This service gives victims who failed to pay the ransom before the timer expired a way to retrieve the encrypted files from their infected system."

Not surprisingly, CryptoLocker's "Decryption Service" is much more expensive than the original ransom - a hefty 10 BTC.

And what if a victim's anti-virus software deletes the CryptoLocker executable before the ransom is paid?

According to BleepingComputer's thorough guide, CryptoLocker thought of this, too.

Rather than leave you high and dry with encrypted files, a key, and no way to unlock them, CryproLocker detects the deletion of its executable files and shows victims a message that contains a link to a decryption tool that victims can download in case this happens.

BleepingComputer explains, "There are numerous reports that this download will not double-encrypt your files and will allow you to decrypt encrypted files."

CryptoLocker has left such a wide swath of confused and angry victims that numerous forums where victims have been gathering online since September to share information about their experience, offering details in hopes of helping others.

Active IT threads on sites such as Reddit (r/sysadminr/techsupport, others) and BleepingComputer have ended up doubling as pseudo-support networks for those under CryptoLocker's timed gun. 

After taking everything in, one Redditor was moved to remark that CryptoLocker is a "bastard and fiendish idea."

We're sure they got the message.

It's widely accepted that CryptoLocker's masterminds lurk on blogs and forums about CryptoLocker (especially this thread), and have responded to infected user's issues, as well as "give other messages on the home page of their Command and Control servers."

Another Redditor writes,

The malware author has responded to people in forums, helping them pay and such, and has stated that the keys are not sent out on an automated process, but selected manually by him for deletion and sending for decryption.

He keeps the keys longer than the 4 days, and will troubleshoot moneypak codes not working, and will send the decrypt key as fast as he can after he gets the money. He knows each computer that has it, and each computer gets a unique key.

Still, no one has been able to draw a bead on who might be pocketing CryptoLocker's spoils.

Dell's new paper looks for clues in the malware authors' behavior patterns:

Analysis of the IP addresses used by the threat actors reveals several patterns of behavior.

The first is that the threat actors use virtual private servers (VPS) located at different ISPs throughout the Russian Federation and in former Eastern bloc countries.

The extended use of some of these hosts, such as 93.189.44.187, 81.177.170.166, and 95.211.8.39, suggests that they are located at providers that are indifferent to criminal activity on their networks or are complicit in its execution (such as so-called "bulletproof" hosting providers). The remaining servers appear to be used for several days before disappearing.

The researchers say they don't know if the servers are disappearing because ISPs are terminating CryptoLocker's service, or if it's because CryptoLocker's crimewave gang prefers to stay a moving target.

Tell mom and dad not to open every damn email attachment

The first instances as reported by SecureWorks explains that the first wave of infection was through targeted emails with attachments, and this appears to remain a common vector.

The attachment, most of the time, is a .zip with a .PDF inside, which is actually an executable (.exe).

The flawless malware spread out of office networks, and currently targets home computer users as well.

Dell's researchers noted that peer-to-peer (P2P) CryptoLocker infections began to appear in early October.

On October 7, 2013, CTU researchers observed CryptoLocker being distributed by the peer-to-peer (P2P) Gameover Zeus malware in a typical pay-per-installation arrangement. In this case, Gameover Zeus was distributed by the Cutwail spam botnet using lures consistent with previous malware distribution campaigns.

(...) Attached to the message is a ZIP archive containing a small (approximately 20KB) executable using a document extension in the filename and displaying an Adobe Reader icon. This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs other malware families including CryptoLocker.

(...) As of this publication, Gameover Zeus remains the primary method of distributing CryptoLocker.

Dell's report explains that the first email wave, targeted at businesses, lured clicks by addressing professionals to notify them of a formal complaint. But outside of Dell's paper, victims report CryptoLocker emails coming from spoofed Xerox email addresses, emails about resumes, and a commonly cited subject line is "Payroll Report."

Mine came from a business source we deal with that had an attachment labeled "stores parts.zip" and a title of "Sent by email: stores parts.zip" -wisdom_and_frivolity

The SecureWorks paper brought together much of what has already been written about CryproLocker, tied a number of threads, and provides a solid marker moving forward.

Now, if only Dell products were coded with the maddening target-objective mindset and frightening efficiency of CryptoLocker...

Topics: Security, Dell, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

97 comments
Log in or register to join the discussion
  • I want to pay the ransom!

    Can someone PLEASE show me how to get to the Cryptolocker customer service website? Can't find it!
    jmmcginnis
    • may I sugest you

      to dump Microsoft Windows entirely? Install something more secure and much more resilient, for example, Linux Mint absolutely free, see linuxmint.com.
      eulampius
      • of course

        your comment was sarcastic, but mine wasn't :)
        eulampius
      • Don't be a di

        ck
        dagodevas
        • dagodevas, and you're

          speaking out of knowledge because you're one?
          eulampius
          • Oh my god...a developer\programmer or a 32 year old at home.

            Which one is it eulampius.
            bin00010111
      • Poor eulampius

        Sad to see what you've been reduced to in life, little more then a shill and a troll,

        And my comment wasn't sarcastic at all, just so we're clear on that. :)
        William.Farrel
        • when one of the best shills and trolls

          this website ever known and Microsoft should be so proud to have is responding to my unassuming comment, I must have hurt them pretty good.
          eulampius
      • Linux is not more secure

        It is a complete misconception that Linux is more secure, spread by clueless Linux fanboys (aka Windows haters). Hackers simply do not bother to target Linux because it's usage is so tiny on desktops (less than 2%) and those that do use Linux tend to be more technically savvy because you have to know what you are doing with Linux due to its complexity, and thus are less likely to open email attachments.
        Hackers obviously target the most common desktop OS so that they can get mass infection by stupid users, which is Windows because it is the default OEM OS installed on most new desktops and laptops.

        This landscape however is changing as Tablets are becoming more popular and widespread than desktops. On mobile devices the situation is reversed, Windows has barely any market share and Linux kerbal based OS's rule, and as a result hackers will turn their attention toward Linux, and suddenly all those fanboys who boasted "I don't need no stinking anti-virus" will be eating their words.
        Capt Obvious
        • Captain,

          in your predicates construction you're obliviously making one big logical mistake: your assuming and extrapolating too much. "Since Windows is popular and it's user are being hit with malware, consequently if GNU/Linux were popular, then ...." While you're also following another great misconception (based on the wrong assumption that android is very similar to MS Windows). It is counting malware strains that might have nothing to do with real threat and actual infections that ever have taken place. Come back with the number of infected Android devices and we'll talk.
          eulampius
          • malware differenet on android to Windows.

            Malware on Android is basically dodgy applications that people must ignore the permission warnings and install... windows malware like code red or nimda or whatever could infect you just by you being on a network.. And lots of windows malware can infect you just by visiting a webpage with exploit code in it or opening a dodgy pdf etc..

            completely different types of malware.. Android malware wouldn't exist if not for user ignorance.. Neither would most windows malware.. but there would still be lots that got around.
            frankieh
          • The point is

            on your linux workstation there just isnt anything worth making ransomware.
            Andrej.G.
          • the best answer

            .
            eulampius
        • Space!

          Well, it's interesting to know that Kerbals are responsible for Linux. Good thing they're better at it than they are at getting into space...
          online@...
        • Only partially accurate

          There's some truth to what you've said; the main security problem with Windows is the user, and given an incompetent user and a dedicated hacker or social engineer, Linux is no more secure -- I mean, it's already not terribly uncommon to see social engineering attempts to get people running (possibly veiled forms of) "rm -rf /", which is perhaps even worse than Cryptolocker.

          In general, however, I believe your argument that Linux is safe only through obscurity fails both in its premises and because it treats a diverse collection of Linux-based OS's as a single whole. There exist some Linux distros which are secure, as proven in practice through their majority use as server OS's, and since a system can only be as secure as its least secure component, the Linux kernel itself is secure. As for the rest of a Linux OS's components, they vary significantly by which distro one runs; it's unthinkable that a hacker could create a common attack targeting every possible distro without targeting the kernel itself. Therefore, I would say it is a safe bet that, regardless of what OS is most popular, there will always be some Linux distro which is safer to use simply because of its obscurity; and that's before even considering distros that actually emphasize security.

          Also, I destroyed two Windows XP installs in the last few days just by visiting the Hearthstone website. Apparently that particular iteration of Windows is so insecure that visiting a webpage can alter OS-critical driver files (intelppm.sys specifically) and put the machine into a BSOD-boot loop. It's almost punchline worthy, but the only joke I can find is Windows XP.
          KiteX3
          • good news and bad news if you're still using Windows XP

            The good news is that you will not have to worry about Windows XP updates after April 2014.
            The bad news is that you will have to worry about no more Windows XP updates after April 2014.

            Mixing business (actually controlling something) with pleasure (only speaking to someone about something) was never a good mix.

            Trusting email client software enough to allow you to launch an infecting component sent from a sender that you have not or cannot verify is sad. A sandboxed email client with no real power is better so why don't we have that as standard or is this iOS?

            There are Windows/Linux/OS2/iOS supporters and detracters all over. Given a preference, I think I'd probably stick with AIX or VMS.
            mandrake64
          • AIX or VMS?

            Is either available for Intel or ARM system architectures? Does either have a GUI? If not, isn't it about time some enthusiasts took on the project? One thing I really liked about VMS was its inherent backup system - if you created a file called fred.txt VMS saved it as fred.txt;0. If you then edited fred.txt and resaved it, it was saved as fred.txt;2, etc. i.e. earlier versions were not overwritten - and this was at a time when disc storage was expensive and low capacity. With today's multi-terabyte drives, this should be inherent in Linux, Windows, iOS, Android, etc. Why isn't it???
            I ought to mention that there was a command "purge " to delete previous versions with a command line parameter k followed by a number which specified how many earlier versions should be kept, so a scheduled task could be run to keep the previous version count down to, say 10, or however many or few you wanted.
            JohnOfStony
        • aka windows haters, reaaly ?

          I use different systems including linux Ubuntu ; it is a misconception of some uninformed people (aka linux haters ?) to pretend that linux is complex and used only by geeks. I am not a geek, and I use different linux versions on old computers with limited memory, together with many free softwares of very good quality, compatible with MSwindows and MacOSX. It works beautifully and allows people with limited income and poor students to get a used computer and get connected to the 'net and to learn about computers and softwares (free). Your disparaging comments about linux and linux users are very wrong. Please, learn ! you can install linux and free applications alongside your MSwin or OSX system, it's risk free, and free like in freedom and like in free drink. Dan.
          dan-r
      • @eulampius "Linux"

        Experiment->

        Created a simple shell script:
        $ vi test.sh
        #!/bin/sh # line 1
        /usr/bin/evince # line 2, modify to your default pdf reader

        Modified permissions to make the shell script executable:
        $ chmod a+x test.sh

        Placed test.sh in a zip file:
        $ zip test test.sh

        Results->

        Debian old-stable (supported until May, 2014) with Xfce:
        Started up the Thunar file manager, opened the test.zip file, double-clicked the test.sh file and, after selecting 'open' from the pop-up window, the Evince PDF Reader opened.
        SUCCESS

        Ubuntu 12.04 with Unity and Xfce:
        Started up the Nautilus file manager, opened the test.zip file, clicked the test.sh file and it opened as a text file in gedit.
        FAILED

        Puppy Linux with jwm:
        Started up the ROX file manager, opened the test.zip file, clicked the test.sh file and got a message window with "Cancel" and "OK" command buttons stating that double-clicking doesn't work until I set up a default handler. The Evince PDF Reader was only launched *after* I clicked "OK" to setting up a default handler and removed 'xarchive' as the default handler.
        FAILED, but with little effort, SUCCESS

        Conclusion-> It depends on the Linux distro and, possibly, the desktop environment and file manager used.

        Like Windows, GNU/Linux, by default, allows non-root users to run arbitrary executables. Also note that most distros default with 'gpg' which could easily be used to encrypt the users personal files with the miscreant's passphrase (note: Puppy Linux defaults with 'bcrypt' instead of 'gpg'). Oh, and 'wget' commands could easily be added to a malicious script in order to retrieve additional files from the miscreants C&C server, ultimately resulting in encrypted personal files *and* a malicious process added to one's Autostart.
        Rabid Howler Monkey
        • good test, but not a good point

          My LMDE mate also fails your test to open it in the default text editor Emacs. AMOF, that it's not the double-clicking that should be looked at, it's a simple way you could strip the exec bits from a file, from a browser, email client pov, it's great. BTW, if I just create a file "chmod +x", my caja file manager does warn and asks me whether to run or open it. No, I was referring to a simpler way to strip permissions. Well, and BTW, it's only a tip of the iceberg. To clarify the matter, I do know that security policies vary from one distro to another, however they quite rarely go as low as the Microsoft's own one.
          eulampius