Operation Tovar a success, but is it really Gameover for CryptoLocker?

Today the U.S Justice Department announced the successful takedown of the Gameover Zeus Botnet, which is a malware that steals bank credentials as well as acts as a distribution method for other malware. One of most well-known malware infections distributed by the Zeus Botnet, or ZBOT, malware was the ransomware called CryptoLocker. Through the combined efforts of the FBI, international law enforcement counterparts, and various private sector companies, the Gameover Zeus Botnet was successfully shutdown, servers seized, and the identity of one of its leaders, Evgeniy Mikhailovich Bogachev, was disclosed.

As was discovered back in September 2013, the main distribution method for CryptoLocker were ZBOT executables disguised as PDF files being mass emailed to company email addresses. These emails pretended to be from tax companies, Fedex, UPS, Xerox, and other business related organizations. Once a ZBOT attachment was opened, ZBOT would be installed and would eventually download and install CryptoLocker on the infected machine.

All in all, there is no doubt that this was a hugely successful operation and one that benefits everyone who uses a computer, but is it really the end of CryptoLocker? Furthermore, are the creators of the Zeus Botnet and CryptoLocker one and the same? What we do know is that McAfee, one of the companies involved with the takedown, prematurely posted a blog post about Operation Tovar before it was officially announced. This blog post was only public for a brief period before it was taken down. Unfortunately, it may have been enough time to let the Gameover or CryptoLocker developers know what was going on as the CryptoLocker Decryption Service page was replaced with a simple message. "stupid mcafee ". Unfortunately, this page is no longer accessible and showing a "Bad Gateway" message.

For now, more information about Operation Tovar can be found in the official United States Department of Justice complaint, their press release, and other court documents regarding Operation Tovar.

Shame such good news is tainted with that possibility.

Whether or not Cryptolocker will adapt its distribution methods is unsure. But ransomware is here to stay. Many of the techniques that made Cryptolocker so formidable have already been copied by other infections. Nevertheless, a great win.

As some have said here already, this is a great movement as it is showing great progress towards law enforcement doing what needs to be done against this type of crime, but it is bitter sweet. In my opinion, because the one fault mentioned in Grinlers post above, Instead of this being the apprehension of a certain individual, Its a temporary stop for an infection that will be back more secure than ever. 

 

With anything that you do, if you do it long enough without interruption, complacency will set in. This leaves room for error, which in our case is what we want. 

 

Now that an interruption has happened after all this time, all flags are up. All i see is Zeus and Cryptolocker with even more security barriers. 

 

Like Cryptolocker 2.0 without the .NET ;) (jokes?)

Edited by decrypterfixer, 02 June 2014 - 09:45 PM.

I was at the point thinking it was near impossible to do anything about it. As always, a pleasure to find out otherwise. It may not stop them cold, but at least it's more than we expected.

Agreed. We will now have a lull and maybe the malware developers will not be as brazen as they have been in the past. Glad to see the FBI and its partners were able to pull this operation off.

Yet another reason Mcafee sucks.

Don't think it's the end of Cryptolocker, not by a long shot. The creators have stumbled upon an exploit that can't be undone, and until encryption can be broken this type of attack will not go away...

 

..and since encryption is meant to be unbreakable....

Yes, the winners for the the 2014 Malware Awards (just made that up) will be Encrypting Ransomware & Adware. Those two items will be the bane of computer users this year

For now it seems a very good news.

 

I have been collecting new Zbot samples almost every day blocked on my work mail server and I can tell you that after the raid the zbot flow stoped.

Great news!  But I presume that any machines already infected with CryptoLocker now have no extortionist to pay the ransome to get their files unencrypted.

 

Perhaps the criminals can be persuaded to make their existing keys available for free to their victims?  I never believed they expired in the time frame that the cybercriminals claimed.

I can confirm that emails containing the zeus bot have stopped on my end. I generally got around 5 emails a week that contained a zip with a *.exe or *.scr (zeus bot). I have had 0 blocks this week so far pertaining to zips containing runable items.

 

On my end a few good things came from this infection: I confirmed all backups were working properly and am more prepaired to recover from any future incident. I learned a lot more about group policies. This is something I ignored in the past for the most part. I started sending out fake fishing emails to employees to learn who the random clickers were and help teach people to avoid bad emails and html links etc.

 

I wish I could setup all users on a guest account but currently the way this company works, they need admin rights to install software on the road.

What is the best free protection. I have Malwarebytes, Spybot, C Cleaner, Panda Cloud, WOT & Microsoft Security. My Panda Cloud & WOT vanished when I changed to Google Chrome but have them back now. Is this enough security? I did used to pay but had the same thing happen twice which made me think even they were a con (Mc**** & N****N) Towards the end of the term I was asked to sign up for an upgrade as the basics were now longer good enough. I would have been happy to just renew until the greedy bleepers decided to freeze everything & then start deleting all my files.I even lost my sons graduation photo's! I have therefore decided to try & stick with the free ones that have been recommended. All has been well until this last week wen I ended up with 160+ PUP virus' Malware helped remove 100 of them but the 60 kept crashing my laptop. I eventually managed to get rid of them but my laptop has slowed down a lot. Any ideas or help gratefully accepted, thanx TC

What is the best free protection. I have Malwarebytes, Spybot, C Cleaner, Panda Cloud, WOT & Microsoft Security. My Panda Cloud & WOT vanished when I changed to Google Chrome but have them back now. Is this enough security? I did used to pay but had the same thing happen twice which made me think even they were a con (Mc**** & N****N) Towards the end of the term I was asked to sign up for an upgrade as the basics were now longer good enough. I would have been happy to just renew until the greedy bleepers decided to freeze everything & then start deleting all my files.I even lost my sons graduation photo's! I have therefore decided to try & stick with the free ones that have been recommended. All has been well until this last week wen I ended up with 160+ PUP virus' Malware helped remove 100 of them but the 60 kept crashing my laptop. I eventually managed to get rid of them but my laptop has slowed down a lot. Any ideas or help gratefully accepted, thanx TC

Maybe you need to review your internet browsing habits......

The best defense against malware is caution. Don't click on it... just don't do it.

 

edit: before that all you have to do is learn what it looks like.

Edited by TsVk!, 05 June 2014 - 06:38 PM.