Cryptolocker was first spotted in the wild as early as the first week of September. By the end of October, it had been named one of the “Internet’s Most Wanted” by all major security vendors. By now, the Internet has covered what it is, how one gets infected, how to remove it, and how to avoid being infected. Unfortunately, there’s no way to decrypt the files without the crypto key (see why here). The best prevention as of now is to prevent the malware from executing in a Windows system with SRP (software restriction policy).

This malware has received some serious attention from the security community for nearly two months, so we’re curious about the effectiveness of these defense measures and the impact to OpenDNS customers. 

First, a quick recap of how OpenDNS provides protection against Cryptolocker: In a previous post, we introduced a predictive algorithmic method – The Ripple Effect – for detecting Cryptolocker CnC domains. The method uses the fact that the malware contacts a set of randomly generated domains to fetch an asymmetric crypto key before it starts encrypting the data files on the victim’s system. The Ripple Effect method relies on the co-occurring pattern of the domain requests made consecutively by the malware in a short time window.

A number of users of our free DNS service were infected with the malware (we’ll show some simple stats later on). OpenDNS customers using Umbrella are protected against losing their valuable data to Cryptolocker because we successfully cut off the outbound communication initiated by the malware for retrieving the encryption key. OpenDNS customers are spared the data loss, and gain time to remove the malware before it can cause damage.

If you’re an Umbrella user, you can check for evidence of Cryptolocker in the Dashboard. On the Security Activity report, filter by security category: botnet.  There is a very good chance of you were infected by Cryptolocker if you see a long list of botnet domains displaying the following patterns:

  1. 12,13,14 or 15 random characters, TLDs rotating among .info, .com, .ru, .biz, . co.uk, .org and .net
  2. Frequent requests made in very short intervals to about 1000 unique domains following the above string patterns.

If that is what you’re currently seeing in your network, be sure to check for Cryptolocker infection and clean it up as soon as possible. Cleaning the malware is rather straightforward.

Screen Shot 2013-11-04 at 12.25.18 PM

 The following traffic frequency chart shows that the life span of each Croptolocker domain is exactly 24 hours.

cl.domain.lifespan

How widespread is the infection? We looked into our data for October and studied the infections among OpenDNS users in a number of dimensions. We first took a look at the number of total requests made to Cryptolocker domains over the last two weeks of October: a daily rate of a few millions. 

totalrequests 

The insane volume of requests is due to the non-stop, repeated requests of a single copy of the malware when it fails to make contact with its CnC servers and there are 1000 domains being requested each day. The total number of user clients initiating these requests is on a much smaller scale, but certainly large enough to make the malware authors a sizable profit if all Cryptolocker victims pay the ransom.

In the following figure, we show the count of total infections (by unique client IP addresses) each day, and the count of new infections.

totalvsnewinfections

 The infected clients spread over multiple countries, and clearly have a higher concentration in the U.S.

cl.clients.geo 

Even though many of the Cryptolocker domains were sinkholed, the bad news is that a single successful contact with the CnC server will lock down your data files. We observed the CnC servers resolutions over 30 days, and the following chart shows the number of CnC servers successfully resolved to a non-sinkholed IP address. 

 non-sinkholed resolutions

Let’s take a closer look at the infrastructure of the CnC server IP addresses. This chart shows how IP addresses were rotated in and out at different days, and the height of each segment shows the number of domains mapped to an IP address on a particular day.

 C2IPs.overtime

 These IP addresses are located in a variety of geolocations. 

cl.server.geo

Right now, Umbrella effectively contains the current version of Cryptolocker, but we don’t expect to this notorious ransomware  to reach a full stop any time soon.  We are very closely tracking the progression of its infrastructure changes and likely new malware variations. If anything interesting turns up, we’ll report it here—stay tuned!

 

 

This post is categorized in: