Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Operation Tovar a success, but is it really Gameover for CryptoLocker?


  • Please log in to reply
23 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,110 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:49 PM

Posted 02 June 2014 - 02:22 PM

Today the U.S Justice Department announced the successful takedown of the Gameover Zeus Botnet, which is a malware that steals bank credentials as well as acts as a distribution method for other malware. One of most well-known malware infections distributed by the Zeus Botnet, or ZBOT, malware was the ransomware called CryptoLocker. Through the combined efforts of the FBI, international law enforcement counterparts, and various private sector companies, the Gameover Zeus Botnet was successfully shutdown, servers seized, and the identity of one of its leaders, Evgeniy Mikhailovich Bogachev, was disclosed.

As was discovered back in September 2013, the main distribution method for CryptoLocker were ZBOT executables disguised as PDF files being mass emailed to company email addresses. These emails pretended to be from tax companies, Fedex, UPS, Xerox, and other business related organizations. Once a ZBOT attachment was opened, ZBOT would be installed and would eventually download and install CryptoLocker on the infected machine.

CryptoLocker-thmb.jpg


All in all, there is no doubt that this was a hugely successful operation and one that benefits everyone who uses a computer, but is it really the end of CryptoLocker? Furthermore, are the creators of the Zeus Botnet and CryptoLocker one and the same? What we do know is that McAfee, one of the companies involved with the takedown, prematurely posted a blog post about Operation Tovar before it was officially announced. This blog post was only public for a brief period before it was taken down. Unfortunately, it may have been enough time to let the Gameover or CryptoLocker developers know what was going on as the CryptoLocker Decryption Service page was replaced with a simple message. "stupid mcafee :)". Unfortunately, this page is no longer accessible and showing a "Bad Gateway" message.

For now, more information about Operation Tovar can be found in the official United States Department of Justice complaint, their press release, and other court documents regarding Operation Tovar.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  •  Avatar image
  • Helper Emeritus
  • 85,296 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:49 PM

Posted 02 June 2014 - 03:16 PM

Shame such good news is tainted with that possibility.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Blade

Blade

    Strong in the Bleepforce


  •  Avatar image
  • Moderator
  • 13,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:49 PM

Posted 02 June 2014 - 04:58 PM

Whether or not Cryptolocker will adapt its distribution methods is unsure. But ransomware is here to stay. Many of the techniques that made Cryptolocker so formidable have already been copied by other infections. Nevertheless, a great win.
animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!

#4 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:49 PM

Posted 02 June 2014 - 09:44 PM

As some have said here already, this is a great movement as it is showing great progress towards law enforcement doing what needs to be done against this type of crime, but it is bitter sweet. In my opinion, because the one fault mentioned in Grinlers post above, Instead of this being the apprehension of a certain individual, Its a temporary stop for an infection that will be back more secure than ever. 

 

With anything that you do, if you do it long enough without interruption, complacency will set in. This leaves room for error, which in our case is what we want. 

 

Now that an interruption has happened after all this time, all flags are up. All i see is Zeus and Cryptolocker with even more security barriers. 

 

Like Cryptolocker 2.0 without the .NET ;) (jokes?)


Edited by decrypterfixer, 02 June 2014 - 09:45 PM.

Have you performed a routine backup today?

#5 Genex17

Genex17

  •  Avatar image
  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 PM

Posted 02 June 2014 - 10:41 PM

I was at the point thinking it was near impossible to do anything about it. As always, a pleasure to find out otherwise. It may not stop them cold, but at least it's more than we expected.



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,110 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:49 PM

Posted 03 June 2014 - 11:01 AM

Agreed. We will now have a lull and maybe the malware developers will not be as brazen as they have been in the past. Glad to see the FBI and its partners were able to pull this operation off.

#7 Netghost56

Netghost56

  •  Avatar image
  • Members
  • 976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:49 PM

Posted 03 June 2014 - 11:02 AM

Yet another reason Mcafee sucks.



#8 Netghost56

Netghost56

  •  Avatar image
  • Members
  • 976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:49 PM

Posted 03 June 2014 - 11:04 AM

Don't think it's the end of Cryptolocker, not by a long shot. The creators have stumbled upon an exploit that can't be undone, and until encryption can be broken this type of attack will not go away...

 

..and since encryption is meant to be unbreakable....



#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,110 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:49 PM

Posted 03 June 2014 - 11:12 AM

Yes, the winners for the the 2014 Malware Awards (just made that up) will be Encrypting Ransomware & Adware. Those two items will be the bane of computer users this year

#10 SleepyDude

SleepyDude

  •  Avatar image
  • Malware Response Team
  • 4,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:49 AM

Posted 05 June 2014 - 03:42 AM

For now it seems a very good news.

 

I have been collecting new Zbot samples almost every day blocked on my work mail server and I can tell you that after the raid the zbot flow stoped.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#11 DBAPaul

DBAPaul

  •  Avatar image
  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 PM

Posted 05 June 2014 - 08:10 AM

Great news!  But I presume that any machines already infected with CryptoLocker now have no extortionist to pay the ransome to get their files unencrypted.

 

Perhaps the criminals can be persuaded to make their existing keys available for free to their victims?  I never believed they expired in the time frame that the cybercriminals claimed.



#12 zingo156

zingo156

  •  Avatar image
  • Helper Emeritus
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 05 June 2014 - 08:35 AM

I can confirm that emails containing the zeus bot have stopped on my end. I generally got around 5 emails a week that contained a zip with a *.exe or *.scr (zeus bot). I have had 0 blocks this week so far pertaining to zips containing runable items.

 

On my end a few good things came from this infection: I confirmed all backups were working properly and am more prepaired to recover from any future incident. I learned a lot more about group policies. This is something I ignored in the past for the most part. I started sending out fake fishing emails to employees to learn who the random clickers were and help teach people to avoid bad emails and html links etc.

 

I wish I could setup all users on a guest account but currently the way this company works, they need admin rights to install software on the road.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#13 TC8

TC8

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:49 AM

Posted 05 June 2014 - 05:01 PM

What is the best free protection. I have Malwarebytes, Spybot, C Cleaner, Panda Cloud, WOT & Microsoft Security. My Panda Cloud & WOT vanished when I changed to Google Chrome but have them back now. Is this enough security? I did used to pay but had the same thing happen twice which made me think even they were a con (Mc**** & N****N) Towards the end of the term I was asked to sign up for an upgrade as the basics were now longer good enough. I would have been happy to just renew until the greedy bleepers decided to freeze everything & then start deleting all my files.I even lost my sons graduation photo's! I have therefore decided to try & stick with the free ones that have been recommended. All has been well until this last week wen I ended up with 160+ PUP virus' Malware helped remove 100 of them but the 60 kept crashing my laptop. I eventually managed to get rid of them but my laptop has slowed down a lot. Any ideas or help gratefully accepted, thanx TC



#14 systemsol

systemsol

  •  Avatar image
  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 05 June 2014 - 05:50 PM

What is the best free protection. I have Malwarebytes, Spybot, C Cleaner, Panda Cloud, WOT & Microsoft Security. My Panda Cloud & WOT vanished when I changed to Google Chrome but have them back now. Is this enough security? I did used to pay but had the same thing happen twice which made me think even they were a con (Mc**** & N****N) Towards the end of the term I was asked to sign up for an upgrade as the basics were now longer good enough. I would have been happy to just renew until the greedy bleepers decided to freeze everything & then start deleting all my files.I even lost my sons graduation photo's! I have therefore decided to try & stick with the free ones that have been recommended. All has been well until this last week wen I ended up with 160+ PUP virus' Malware helped remove 100 of them but the 60 kept crashing my laptop. I eventually managed to get rid of them but my laptop has slowed down a lot. Any ideas or help gratefully accepted, thanx TC

Maybe you need to review your internet browsing habits......



#15 TsVk!

TsVk!

    penguin farmer


  •  Avatar image
  • Members
  • 6,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:49 PM

Posted 05 June 2014 - 06:36 PM

The best defense against malware is caution. Don't click on it... just don't do it.

 

edit: before that all you have to do is learn what it looks like. :scratchhead:


Edited by TsVk!, 05 June 2014 - 06:38 PM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users