Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Gameover Zeus and Cryptolocker Takedowns - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Gameover Zeus and Cryptolocker Takedowns

By now many you have already read the reporting on Brian Krebs on the Gameover Zeus (GOZ) and Cryptolocker takedowns (or more accurate, disruptions). You can read the US Justice Department's court documents here which include a named suspect behind the operation of GOZ. This is the result of large-scale multijurisdictional law enforcement cooperation and work from the private sector.  The TL;DR version is that as of this moment, Gameover Zeus has been disrupted and can no longer control clients.  In the case of Cryptolocker, new victim machines can no longer communicate with command and control (C2s) servers which means files will not be encrypted.  If your files are already encrypted, these is no change as once the files are encrypted there is no other communication that is necessary with the C2s unless you are paying the ransom. This, unfortunately, is likely temporary in nature (between 2 weeks and 6 months depending on the specific circumstances).

One thing that would be helpful is that if you observe new GOZ or Cryptolocker infections, please write in with details so they can be analyzed.


John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting


262 Posts
ISC Handler
Jun 2nd 2014
"these is no change as once the files are encrypted there is no other communication that is necessary with the C2s unless you are paying the ransom."

So does that mean for the time being; users can no longer pay the ransom and decrypt their files.?

Of course this may also be a win in the whole, as it disrupts the malicious actor's rogue business model.
However, those who have lost vital data, did not have proper backups, and chose to pay the ransom might have some cause for complaint.

146 Posts
We can confirm from valid sources that the disruption involved registered DGA domains, confiscating servers, and arrest warrants. One can speculate on 'confiscating servers' in that authorities would have access to keys?


173 Posts
ISC Handler
I wouldn't rely on it that paying the ransom really gives you the decryption keys.
If they just scammed you of of your money - who would you complain to anyways?

41 Posts
You should not forget to mention that government-backed organizations have set up sites that allow you to scan your computer for this type of malware, such as:

4 Posts
I have a client that was hit by cryptolocker on 6/6/2014. If he decides to pay, will the unlock process get completed?
1 Posts

Sign Up for Free or Log In to start participating in the conversation!