Everyone loves a holiday. And right now the digital police are giving us a two week holiday from ransomware’s latest supervillain team: Cryptolocker and GameOver Zeus. But make sure to sort out your insurance before breaking open the pina coladas; because although the authorities have control of the malware for now, as we all know, holidays don’t last forever.
What is Cryptolocker?
The malware that’s getting all ‘American Hustle’ in our grill this time is Cryptolocker – which has been around for a while – but now it’s being delivered to computers by the botnet GameOver Zeus (GOZ); in this case, malicious software that links you to a global network of compromised computers designed to mess with your life. It then tells computers to reach out to other computers in the botnet, and sends stolen info back to the criminals. This type of hacking is also known as peer-to-peer; the victims’ computers are creating a massive network that shares info between itself, and has no single point of failure, so it’s harder to take down.
GOZ then downloads the information, decrypts it, and has a rummage around for bank account passwords and other things you don’t want stolen. If it comes up empty, some versions of the software will bring in Cryptolocker. This bad boy will encrypt your files, and block you out unless you pay a ransom to have them decrypted; which is currently about one Bitcoin (£200 to £300) in the UK, according to the National Crime Agency (NCA).
The Justice Department is calling it one of the most sophisticated cyber threats ever, as the devious dreamteam has infected around 234,000 machines, and hauled in an estimated $27m in ransom payments within the first two months alone. The FBI et al. are now trying to keep them down for as long as possible while they capture the man behind the operation, but it’s only a matter of time before a new version springs up – two weeks at most probably.
- Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
- Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012
What’s the latest?
To disable GOZ, authorities took over points of control in its peer-to-peer network (known as ‘sinkholing’). The security company Symantec sent lists of fake peers to infected machines, blocking the criminals’ control over the infected computers. But this mini break may only last weeks, or even days.
Last weekend, two of the computer networks that had been used for the scam were seized, but police are advising that you sort your security out now, before further attacks are launched.
Tips to stay safe:
Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit said: “By making use of this two-week window, huge numbers of people in the UK can stop [it] from happening to them. Whether you find online security complicated or confusing, or simply haven’t thought about keeping your personal or office computers safe for a while, now is the time to take action.”
The current advice is to:
- Update your operating system and security software – and remember to do this regularly
- Not click on unfamiliar/unsolicited/dodgy-looking links in emails, even if the email is from someone you know
- Back up important data onto unconnected storage (external hard drives etc.)
- If you’re a business, check your incident response and resilience protocols i.e. make sure your system is secure and that you’re able to respond quickly to the threat
There are lots of anti-virus sites out there, but if you’ve already been hit, here are a few suggestions from the Justice Department to help clean up your system:
http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8)
http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)
http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)
http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)
http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network (Windows XP, Windows Vista and Windows 7)
http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)