Categories: SecurityWorkspace

CryptoLocker Copycat CryptoDefence Has Fatal Flaw

Ransomware has become an increasingly popular way for cybercriminals to turn infected computer systems into cash and this year, underground programmers are already churning out copycats of the most successful ransomware program, CryptoLocker, according to security firms.

On 31 March, security firm Symantec discovered a data-napping program, dubbed CryptoDefence, which has already netted its makers at least $34,000 (£22,000) in the first month, according to Symantec. The program encrypts nearly 50 different types of files, and then demands a ransom of about $500 in bit coins for the key.

Copycat

“CryptoLocker was the first and its success is driving other groups into adopting the same techniques,” Kevin Haley, director of security response for Symantec, told eWEEK.

In 2013, CryptoLocker infected more than 200,000 machines and earned its cybercriminal creators more than $380,000, according to Dell Secureworks, a managed security company. It’s likely that the malware earned much more than that, possibly millions of dollars, the company said in December.

Symantec first detected the Cryptolocker copycat in late February and in the 30 days since, has blocked 11,000 potential infections, the company stated in an analysis. By analysing the bitcoin addresses used to receive funds, Symantec estimated that the cybercriminals had received more than $34,000 in the month that it tracked the threat.

Potential victims will typically encounter a link to the ransomware installer in unsolicited spam. If they click on the link and install the program, it compromises their systems and contacts the attacker’s command-and-control servers, Symantec stated.

“The initial communication contains a profile of the infected computer,” the company’s analysis stated. “Once a reply is received from the remote location, the threat then initiates encryption and transmits the private key back to the server. Once the remote server confirms the receipt of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location.”

Fatal flaw

While CryptoDefence shows some innovation – such as requiring that victims use the Tor anonymising network to make it harder to track the payment – it also has a fatal flaw: The program leaves the encryption key hidden on the victim’s machine. The mistake helped antivirus companies help their customers, Haley said. It also showed that the latest authors were not as good as the original creators of CryptoLocker, he said.

“I think you can argue that they weren’t as good, since they left the key on the computers,” Haley said.

Systems in the United States make up most of the infected computers detected by Symantec, followed by systems in the United Kingdom, Canada, and Australia, according to the company’s analysis.

The most effective defence against ransomware is to frequently back up data, according to Haley. While anti-malware defences can help detect known malware, the software is not always effective against unknown attacks. A backup can allow consumers and businesses to recover data without paying a ransom.

Are you a security pro? Try our quiz!

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

View Comments

  • Since Symantec did their blog post last week, it took the creators of CryptoDefense less than 24 hours to "fix" the key accessibility issue and a new version without the key was sent back out. This version costs the infected more so stands a chance of generating a lot more income for the cybercriminals.

  • We had confirmed that they created a new file in the location that they leave the encryption key with a time stamp for 8 am on 4/7/2014

Recent Posts

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

1 hour ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

18 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

21 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

22 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

23 hours ago