DNS Sinkhole campaign underway for CryptoLocker

A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server. This method is now being used against CryptoLocker, a file encrypting ransomware that requires a $300 USD ransom from victims in order to get their files back. We have been monitoring and helping CryptoLocker victims since its release in early September. This infection has been devastating for its victims.

For quite a while, we have noticed that an unknown organization has started redirecting, or sinkholing, CryptoLocker domains to sinkdns.org hostnames. When CryptoLocker attempts to communicate with certain domains it will instead be sent to a server hosted in the sinkdns.org domain. The connection will also contain the http headers Server: You got served! and X-Sinkhole: malware cryptolocker sinkhole. By sinkholing the domains, communication between an infected computer and the malware's Command & Control server is not able to take place. If CryptoLocker is unable to communicate with a C&C server and receive a public key used to encrypt files, it will endlessly loop till it can. By breaking this communication, security researchers aim to halt CryptoLocker before it further encrypts other infected computer's files.
 

Unfortunately, this sinkhole is not completely successful at this time. Tests have shown that CryptoLocker will eventually find a non-sinkholed hostname that is part of its Domain Generation Algorithm and begin encrypting the files. Furthermore, in order for a person to pay the ransom and decrypt their files they will need to be able to reach one of infection's C&C servers. If all its domains become blocked, then affected users will no longer be able to pay the ransom if they wish to do so. As you can see this is a double-edged sword.

At this time no organization has taken credit for the sinkhole campaign. If anyone has any information on the sinkdns.org domain, please let us know here. For more information about CryptoLocker, please see this guide: CryptoLocker Ransomware Information Guide and FAQ.

This is rather startling.

And if you're already infected/encrypted, and if you've already paid and are awaiting the private key- you're in trouble.

 

Maybe the feds have taken action here?

I've made the double edge sword comment already, i am now helping someone who needs the ransom to go through, so I'm forced into

hoping that this won't take place before I get  the decryption packets....

I just hope and pray that everyone gets the best they can out of this, and at a minimum, a great education.

OK, I understand the concept of a DNS sinkhole, but how does one actually accomplish such a feat?  It would seem to me that it would have to involve participation from an ISP or other high-level body.  I couldn't just start a DNS server in my spare bedroom and expect it to work.

That's why I suspect feds....or a rival hack group that wants to supercede their version of cryptolocker over the original.

 

Grinler, how did you learn of this? I mean, how did you determine that the domains are being redirected?

That's why I suspect feds....or a rival hack group that wants to supercede their version of cryptolocker over the original.

If I could hazard a guess, its probably security firm.

Grinler, how did you learn of this? I mean, how did you determine that the domains are being redirected?

Use a sniffer while starting the cryptolocker executable. You will start to see many attempts to connect to a DGA domain and get redirect to the sinkhole.

If it cannot contact the Command and Control, then how does it start to encrypt the files?

It doesn't as explained in the first post.

The company I work for was hit yesterday...we now have almost 130,000 encrypted files, most are on a mapped network drive.  AVG remotely removed the CryptoLocker exe and its related HKLM keys from the infected client machine/registry yesterday PM (Oct 24, 2013) but left the HKCU key containing the list of encrypted files.  We are giving consideration to paying for the decryption tool but the URL provided via the Cryptolocker wallpaper minus the .exe specification does not work.

Is this because of the DNS sinkhole campaign mentioned in this thread?  We welcome any/all assistance in resolving this issue

Edited by JohnWHS, 25 October 2013 - 03:20 PM.

To JohnWHS
Currently, our last encounter with this was done in three ways. 1.) First, we eliminated the threat. 2.) Secondly, we did not foolishly pay the money. We used our backups the day before the infection started. We had to restore virtual servers and files, but this COMPLETELY elminited the problem. 3.) Thirdly, we profusely beat the end user for doing this. No j/k, we had to educate the users to please be very clear not to click on anything just, because it "looks" something for you. Pffft, and you know that battle will end. Hence, the profuse beatings )

Looks like I was right and wrong about this. It turns out it was Kaspersky and ThreatTrack labs who sinkholed the domains:

 

http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money

 

It seems they are only doing it for monitoring at this point though.  As the infection generates 1000 new domains a day, sinkholing is not going to be realistic.

Wow, 1,000 domains a day...depressing!

 

Hey Grinler/Lawrence! Thank you so much for the CryptoLocker Guide/FAQ! I have posted about this piece of crapware and your Guide/FAQ on one of my blogs here.

 

Have to rethink how we back up too if all drive letters on the computer, including backup drives are available to this piece of ransomeware, eh?

Thanks Fran. Yup, this type of ransomware is a big wake up call.

For sure!

 

Having to rethink how folks do things. And sadly, it is much less convenient and they are not happy about it.