Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.

    We have identified one possible factor in this growth: the arrest of Paunch, the creator of the Blackhole Exploit Kit. Paunch’s arrest led to a significant reduction in spam campaigns using exploit kits. Clearly, this caused a vacuum in the spam-sending world – spammers would not all of a sudden stop sending spam. So they would need to send something out; what would this be?

    One of those replacements has turned out to be UPATRE. We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying UPATRE (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest. In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest.

    The Cutwail-UPATRE-ZEUS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker. The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware. It also highlights, somewhat perversely, how resilient cybercrime can be: the response to Paunch’s departure was remarkably quick and may have ended up affecting more people than they had before.

    We’ve discussed in the previous CryptoLocker entries how to avoid becoming a victim. We reiterate that users should absolutely not open attachments that they were not expecting to receive. This will help minimize the exposure of users to this threat.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice