GameOver Zeus (GOZ) was a banking Trojan distributed through spam and phishing emails. In addition to harvesting a user’s banking credentials, GOZ could take control of a user’s machine, using it to send spam or to work as a bot in a DDoS attack. The Zeus Trojan had been around for a while, but the GameOver strain proved hard for law enforcement officials to crack.
Instead of using centralized servers for command and control, it used a large peer-to-peer (P2P) network of infected machines. Without centralization, the network had no single point of failure, which made it tough to eliminate. The P2P network that distributed GOZ also distributed the notorious CryptoLocker ransomware, which locked up computers, encrypted files and demanded ransom payments from their owners.
To take down GOZ, law enforcement agencies like the FBI and Europol partnered with security companies in 10 countries to redirect P2P traffic back to servers under their control. The Department of Justice also charged 30-year-old Evgeniy Mikhailovich Bogachev with wire fraud, bank fraud, money laundering, conspiracy and computer hacking for his role in overseeing GOZ and CryptoLocker. Of course, since nature abhors a vacuum, a new brand of ransomware has taken CryptoLocker’s place. CTB-Locker is a growing threat even more insidious than CryptoLocker.
Elliptical Curve Cryptography and Tor: CTB-Locker’s Secret Weapons
CTB-Locker, which stands for Curve-Tor-Bitcoin Locker, is also known as Critroni. It uses elliptical curve cryptography (ECC) to encrypt user files. ECC is tougher to crack than traditional RSA cryptography. ECC builds keys on the elliptical curve equation y2=x3 + ax + b while traditional RSA cryptography uses lengthy factoring operations to encrypt files.
Both CryptoLocker and CTB-Locker are currently in the wild despite the takedown of the GOZ network. Ransomware can become a nightmare for users, which is why using cloud computing security solutions, network security tools and antivirus software for individual machines is more crucial now than ever before. CTB-Locker is worse than CryptoLocker because by using ECC, CTB-Locker encrypts user files more quickly, and makes them virtually impossible for users to decrypt. In fact, any attempt to decrypt the files results in the destruction of the private key.
To add another layer of complexity, CTB-Locker routes command-and-control traffic through the anonymous Tor network. By routing traffic through Tor, the creator of CTB-Locker makes it difficult to track down and eliminate the command-and-control server. When a user’s computer is infected with CTB-Locker, a locked onscreen message commands the user to pay ransom by sending Bitcoin. With both ECC encryption and Tor in play, the user has no options for decrypting the files or finding the attacker.
Preventing and Surviving a Ransomware Infection
Someone who finds his or her computer infected with CryptoLocker or CTB-Locker should take the following steps:
- Avoid paying the ransom. Paying the ransom doesn’t mean that users will receive the encryption keys for their files. Most likely, they will send Bitcoin to an attacker and still never recover their files.
- Restart the infected computer from the antivirus boot disc. Alternatively, visit the antivirus company’s website and use its online scanning and cleaning tool. Avoid using the computer again until the hard drive has been scanned and cleaned.
- Contact law enforcement. In addition to leaving a complaint with the Internet Crime Complaint Center (IC3), contact local law enforcement. Police may not immediately find the attacker, but repeated complaints can give law enforcement enough information to mount another GOZ-like takedown.
Most ransomware spreads through phishing emails, so users should never click a link in an e-mail message no matter how urgent the message appears to be. Users should copy and paste the URL into a browser window, or they should hold the cursor over the button, display the URL and type it into the browser field.
Avoiding a ransomware infection by using computer security solutions is the best way to prevent a CTB-Locker encounter. Also, backing up files on a regular basis ensures that even when users can’t decrypt the files, they have extra copies that they can access. Unfortunately, ransomware is becoming more popular because so many people are willing to pay the ransom. They don’t realize that once the files are encrypted, all of the data is lost.