Recent reports on the CryptoLocker ransomware attacks are beginning to suggest that the teams behind the malicious encryption system are working hand-in-hand with criminal botnet builders.
The teams behind CryptoLocker, which are believed to be mainly Russian-speaking, designed CryptoLocker to infect victim's systems with malware that uses strong encryption on specific file-types. Once the infection is complete, the only solution available for file retrieval is to pay a ransom of at least $150 in no-traceable web-based currency. To support the dissemination and control of this system, the CryptoLocker teams are paying large portions of their ransom payments to the owners of botnet farms.
Beyond the spam distribution provided by the botnet owners, which relies on duped pc users opening infected attachments to spread CryptoLocker, the teams offer as much as 75% of their ransom take for the direct infection of botnet controlled systems. This option is not without consequences for the botnet owners. Direct infection of a controlled botnet pc will effectively remove the system from the botnet. However, with the insane amounts of ransom pouring into the scheme, the cost effectiveness of direct infection makes the 75% payment to botnet owners nearly as lucrative.
Connections With Fake Antivirus
Reports have also surfaced recently that connects some of the possible players in the CryptoLocker ransomware scheme with the rash of fake antivirus scams that appeared nearly five years ago.
The fake antivirus scams told users that their systems were infected with viruses and that they should pay to have the viruses removed, or "cleaned," from their machines. In reality, the machines were infected with malware that perpetuated the scam. The scam was slowly destroyed through increased awareness and a concerted effort by the security industry to restrict the criminals ability to make use of credit card payment processing.
The end of the fake antivirus scams is believed to be the beginning of the move towards CryptoLocker. As the scam has been refined, there have been mini-outbreaks of crypto-based extortion schemes. Two years ago a group of Russian-speaking cyber-criminals targeted Russians with a CryptoLocker-like scam and were quickly arrested by Russian authorities. The current rash of encryption-based scams has so far targeted primarily English-speaking and US based users.
The current infection model for CryptoLocker is slow and plodding, using the poor security and gullibility of users to spread. The possibility exists for a new version of CryptoLocker that blasts out to unsuspecting users, as with the Blaster worm of years ago. If the gangs behind the ransomware decide to expand their reach using this technique, an epidemic of infections could easily occur. However, controlling the payment systems of a CryptoLocker epidemic may be all that protects users from this possibility.