Bitcoin and the hacker in pajamas: the story of Cryptolocker, the first modern ransomware

At the beginning of November 2013, the officers of the police department of Swansea, in the United States, are quite embarrassed. Their computer system has just been targeted by a new virus from who knows where. Her name ? Cryptolocker. Files, administrative documents and investigative material were encrypted, making their use impossible. And on a workstation, a window with a countdown appeared.

They must quickly pay a ransom of two bitcoins, a cryptocurrency they did not know existed, otherwise goodbye to the files. After a few days of reflection, the police department will proceed to the cash register, pay the equivalent of 750 dollars and confess it to the Herald News in a rare effort of transparency.

Cryptolocker is not the first ransomware to infect a computer. The first of these is estimated to be Aids, which spread in 1989, using floppy disks sent in the mail. But by innovating on several crucial points, Cryptolocker will draw the modern face of this type of malware. Significantly, its name will also be synonymous for a time of ransomware. A criminal activity that has proliferated to the point of becoming today one of the main computer threats.

Cryptolocker, a revolutionary ransomware

Dell SecureWorks specialists, the first to be concerned about the appearance of Cryptolocker, greet ” sound design decisions From the developers. ” This is my first time paying for ransomware. Its author is a genius », Writes an Internet user on the Bleeping computer forum.

So what is this ransomware so revolutionary about? First of all, the virus is not a simple toll, then in vogue system which blocks the opening of the session. It relies on strong encryption that gives credibility to the ransom demand. This can also be paid in bitcoin, a means of payment still quite rare at the time. Finally, the malware designers have developed a generator of control and command server domain names, making its detection and blocking more complex, as the Cert-FR has pointed out.

A hacker in leopard pajamas

To reach its victims, the malware is spread in two ways. Either by sending a trapped attachment by email, or by being installed on the target machines by the Gameover Zeus botnet. It is moreover by following the trail of this banking malware ” extremely sophisticated ”suspects have been identified, according to the FBI, the US Federal Forensic Investigation Service. According to American justice, it is Yevgeny Mikhailovich Bogatchev, formerly at the head of a flourishing criminal organization, the Business club, which would be at the origin of Cryptolocker.

But despite the blows to his organization – like Operation Tovar in 2014, a takeover of the command and control server of Gameover Zeus, this Russian with different aliases (Slavik, Pollingsoon, lucky12345) remains elusive. The whimsical hacker in the leopard-print pajamas was once the world’s most wanted cybercriminal, after he launched a $ 3 million bounty in 2015 for his arrest. The wanted poster simply mentions that his last known address was in Anapa, Russia, a resort town on the Black Sea.

Cryptolocker will be emulated

In the light of the ransoms extorted by the new groups of cybercriminals, Cryptolocker’s earnings may appear modest. The Anssi thus valued them at the sum of $ 3 million. In all likelihood, the cybercriminals, after seeing that the banks were defending themselves better and better against Gameover Zeus, pivoted into launching Cryptolocker. But the validation of the economic model of this type of criminal software will arouse emulators. Cryptowall (from 18 to 320 million ransoms extorted between 2014 and 2015) or Locky (from 8 million and $ 150 million between 2016 and 2018) will for example take over. Without really changing the software, the ransomware industry has since turned away from mass campaigns to target large organizations.