LONDON/washington: The FBI and crime agencies from across the globe have temporarily disrupted one of the most aggressive computer viruses ever seen, but are warning victims they have two weeks to protect their computers before the hackers seize it back.
Digital police from across the globe have claimed success in disrupting the criminal operation behind the ransomware, known as Cryptolocker.
The UK’s National Crime Agency (NCA) has told British victims that they have a two-week window to protect themselves, after working with the FBI, Europol and other law enforcement bodies to temporarily seize control of the global network of infected computers.
Cryptolocker is now disabled, but the NCA said it was a race against time before the hackers circumvent their block on it. It follows one of the biggest ever international collaborations between the major crime agencies to prevent a virus of this magnitude.
The Cryptolocker software locked PC users out of their machines, encrypting all their files and demanding payment of one Bitcoin (currently worth around £300) for decryption.
The FBI estimates that the virus has already acquired $27m (£17m) in ransom payments in just the first two months of its life, and that it has infected more than 234,000 machines.
A chief suspect from Russia has been identified, but is still at large, said Troels Oerting, head of Europol’s cyber crime centre (EC3). Oerting said other arrests related to the operation were in progress.
The global effort to stop the spread of the Cryptolocker ransomware has focused on its delivery method, itself a dangerous form of malware — or virus — called Gameover Zeus (GOZeuS). This linked the infected machines by peer-to-peer connections — in theory making it harder for the authorities to track and stop.
GOZeuS was designed to steal people’s online banking login details, and its victims were usually infected when they clicked on attachments or links in emails that looked innocuous. However, it also dropped Cryptolocker on to their computers.
“Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals,” said Andy Archibald, deputy director of the NCA’s cyber crime unit.
“By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them,” he said.
“Whether you find online security complicated or confusing, or simply haven’t thought about keeping your personal or office computers safe for a while, now is the time to take action.”
Affected users are being advised to update their operating system software and security software, and also to “think twice before clicking on links or attachments in unsolicited emails”.
Behind the scenes, the law enforcement groups have been taking over points of control in GOZeuS’s peer-to-peer network: an action known in the security world as “sinkholing”.
By doing this, they have been able to cut off criminal control over the infected computers. Oerting said the entire infrastructure of the GOZeuS operation had been sinkholed, meaning that the malware should “not reappear for … a considerable time”.
Dismantling peer-to-peer operated malware is difficult, but it has been done before: For example one case of a data-stealing virus called ZeroAccess, which infected as many as 1.9m PCs in 2013.
In that case, security researchers from Symantec managed to send lists of fake peers to infected machines, which meant they could no longer receive commands from the controllers of the malicious network, known as a botnet.
Symantec researchers said that key nodes in GOZeuS’ network had been disabled, along with a number of the domains used by the attackers.
US authorities have identified Evgeniy Mikhailovich Bogachev, 30, of Anapa in the Russian Federation, as the leader of the criminal operation behind GOZeuS, which is thought to have infected between 500,000 and 1 million computers worldwide, including more than 15,500 in the UK.
The suspect, who authorities said is known online as Lucky12345, is charged with writing computer code used to compromise banking systems and assist others in stealing banking credentials, according to court documents.
Many of those machines will also be infected by Cryptolocker. Victims are likely to receive messages from their ISPs in the coming weeks alerting them of infection. The US Department of Homeland Security set up a website to help victims remove the GOZ malware: https://www.us-cert.gov/gameoverzeus
The European Cybercrime Centre also participated in the operation, along with Australia, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand, Ukraine and the United Kingdom.
Intel Corp, Microsoft Corp, security software companies F-secure, Symantec Corp, and Trend Micro; and Carnegie Mellon University also supported the operation.
Although arrests have not yet been made, Oerting believes the eventual impact will be “great”. “[It will not last] forever, but the infrastructure is gone and the criminals will have to build and distribute from scratch,” he added.