CryptoLocker ransomware infections collapse after Gameover takedown, researchers estimate

John E Dunn

This week's global police assault on the vast P2P Gameover Zeus botnet has left the distribution system for the Cryptolocker ransom malware foundering, according to two Danish security firms that have been monitoring new infections.

Patching firm Heimdal Security and partner CSIS Security Group estimate that by early May 2014, just before the Gameover was disrupted, at least 1.2 million computers were infected by the botnet, with 50,000 systems joining it in an average week. This had now been reduced to the low hundreds or even close to zero.

An unknown number of these were also affected by one of its payloads, the hated CryptoLocker, which appeared to have suffered its first ever reverse last Friday. It's never been clear how much CryptoLocker has depended on Gameover, although the two are believed to have been developed by the same gang of criminals.

It is now looking as Gameover's was critical to CryptoLocker's success, with the detection of new infections effectively dropping to zero, the firms said without being candid about how they calculated this for fear of revealing their monitoring effort to the malware gang.

"At the beginning of May this year, we saw a high rate of new Cryptolocker infections, with as many as 5.000 new infections per day. Later in May, infections even peaked at a very high number of 8.000 infections per day," said Heimdal Security's CEO, Morten Kjaersgaard.

"Our intelligence now shows that the number of new infected machines has dropped off significantly and is currently relatively stable around 0 [zero]."

None of this does anything to reduce the large but unknown number of PCs already infected by CryptoLocker, but it does at least suggest that the malware has at last revealed the weakness of its dependency on the Gameover platform.

The firm had seen no drop off in the number of currently infected systems, although the loss of Gameover's command and control will have disrupted the channel through which ransom payments are collected and - in theory - decryption keys are sent back to victims (note: there is strong anecdotal evidence that the criminals no longer send keys even when paid).

The US represented by some way the largest portion of these infected systems, he said.

"Especially the US, UK and Germany have been hit hard by the Zeus Gameover P2P malware over the last few months, but this joint effort, has really made a big blow against the malware. "

But how on earth did Gameover become so powerful and how was it and its nasty CryptoLocker sideline spiked?

From this week's dramatic headlines and back-slapping press releases, you could be mistaken for thinking that Gameover Zeus is a relatively new menace that has been stopped in its tracks. Nothing could be further from the truth.

1  2  Next Page