Security companies are being blocked by cybercriminals, this is a good and worrying sign at the same time. The good part is that cyber security researchers are making such an impact on the cybercrime industry which has forced the cybercriminals to take “security” measures while they initiate an operate cybercrime campaigns.
Today it was released that cybercriminals have been using a mail campaign to infect unaware internet users with the Cryptolocker2 malware. The cryptolocker2 malware locks and encrypts the device which has been infected, once the infection has been completed, it will force the device owner/user to pay a ‘ransom’ in order to unlock the system again.
The Cryptolocker family is one of the most dangerous and annoying type of malware which is currently being spread – it locks and takes away the ownership of the digital content of the device from the original and legitimate users.
But what caught my eyes was the following line
“Upon dissecting the payload, we saw that it’s delivered as a zip file that can be delivered only once,” Andra Zaharia of Heimdal observes. “As retaliation, cyber criminals have blocked several IP addresses that Heimdal uses in order to hinder our analysis. However, we managed to see that the payload that delivers the Cryptolocker2 infection is delivered only to IP addresses in Scandinavia. – Tripwire post“
In the comment above, it is explained that the cybercriminals had blocked the IPs of the Heimdal security solution, making it very hard for Heimdal to perform a good analysis on the malware (within their own Heimdal environments).
But this is nothing new, well for me it is, but the “battle” between cybercriminals and security officers has been like this for a long time, but it is worrying as the cybercriminals are now going after a wider range of security companies – what will be the next step…
Cyber security officers can sinkhole specific domains/ips which are being used by cybercriminals – this allows them to monitor the behavior and kill the “damaging” aspect of the malware which is hosted/dropped via the sinkholed domains. The cybercriminals knows this, and they have been blocking ‘sinkhole’ ips in their malware in order to avoid analysis once the malware has been caught.