On the Cryptolocker Takedown #fail
Bitdefender researchers have identified a number of domains which are still hosting Cryptolocker malware command and control servers, after the takedown attempt by a group of cyber-vigilantes earlier this week.
All of the still active domain names are algorithmically generated, but somehow the cyber-vigilantes failed to take them into account, so the Cryptolocker network is still under full control of its creators. Some domains which were hard-coded into the Cryptolocker virus itself were not included in the takedown, but there seem to be no active command and control servers there at this time.
In any event, successfully sinkholing the entire Cryptolocker network and leaving it at that would create about as many problems as it solves. A takedown attempt must be combined with with some way to retrieve the private keys already present on command and control servers. Otherwise, many victims would be left with absolutely no way to decrypt files already encrypted by Cryptolocker.
9 Responses to On the Cryptolocker Takedown #fail
Show Pingbacks
Related posts
Aug.18.2016
in Anti-Malware Research , by Alexandra GHEORGHE
Hackers Can Use Smart Sockets to Shut Down Critical Systems
Jul.05.2016
in Anti-Malware Research , by Alexandra GHEORGHE
New Backdoor Allows Full Access to Mac Systems, Bitdefender Warns
Jul.01.2016
in Anti-Malware Research , by Razvan Stoica
Pacifier APT - two years and counting
Jun.08.2016
in Anti-Malware Research , by Alexandra GHEORGHE
Bitdefender Stops ZCrypt Worm-Like Ransomware
May.26.2016
in Uncategorized , by Liviu Arsene
I don’t think a complete take down is legal :)), Even if someone can take all private/public key from “control center servers”, will need approval from any infected bot to decrypt his files
if 1 pc will crash during the decrypting process, guess who will get blamed:)) facerea de bine…
It’s a thorny question indeed, aptly summarized by the gem of folk wisdom you quoted partially.
Destroy those servers! There is no good in keeping them up after you have retrieved the keys.
No-one has retrieved any keys.
and… is back
C.r.y.p.t.o.l.o.c.k.e.r. .2…0…=Y.o.u.r. .i.m.p.o.r.t.a.n.t. .f.i.l.e.s. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.e.r.e. .e.n.c.r.y.p.t.e.d.:. .p.h.o.t.o.s.,. .v.i.d.e.o.s.,. .d.o.c.u.m.e.n.t.s.,. .e.t.c… .Y.o.u. .c.a.n. .v.e.r.i.f.y. .t.h.i.s. .b.y. .c.l.i.c.k. .o.n. .s.e.e. .f.i.l.e.s. .a.n.d. .t.r.y.i.n.g. .t.o. .o.p.e.n. .t.h.e.m
… .u.n.i.q.u.e. .p.u.b.l.i.c. .k.e.y. .R.S.A.-.4.0.9.6. .g.e.n.e.r.a.t.e.d. .f.o.r. .t.h.i.s. .c.o.m.p.u.t.e.r
… n.e.e.d. .t.o. .p.a.y. .3.0.0. .U.S.D. ./. .E.U.R. … W.e. .o.n.l.y. .a.c.c.e.p.t. .B.i.t.c.o.i.n. .a.s. .p.a.y.m.e.n.t
… y.o.u. .h.a.v.e. .t.o. .p.a.y. .2. .B.T.C
maior proteçºao ao navegar
I have to agree with Liubomir, A takedown of those servers might guarantee no more computers will be infected. For those that were infected, sad to say but i think it would be better to just cut loses and prevent this from happening again. If congress can pass the SOPA bill which allowed them to block ISP access to certain sites then I believe they should be able to do the same with this so called “RansomWare”… Unless the government doesn’t care for anything other than big businesses.