Hi Benoit, Zwingers
Am 16.12.2016 um 08:44 schrieb Benoit Panizzon benoit.panizzon@imp.ch:
Hi Swinogers
It's not an actual case where we are involved in, nor did it happen in switzerland, but I'm in contact with a registrar and hoster that probably is in this situation.
This is unfortunately common and realistic case. We had about 40 to 50 domain names in .ch and .li alone that where registered to operate TorentLocker. As the operators make a lot of money with ransomware, they can afford buying domain names and hosting, even if they can use them only a few days.
A customer registered a domain and booked a web and email service. The booking were made in the name of an apparently newly created company. Everything looked legit, the domain owner wanted his privacy protected by a whois proxy provider.
That company sent emails to various recipients, that led those recipients to their website to download some documents.
Those documents were infected with the locky ransomware. It's clear that this is not a hacked site, but a site built purposefully to distribute that malware and make it look legitimate.
The hoster reacted quicky to complaints, took the site offline and removed the DNS entries to prevent further damage.
But what can the hoster/registrar do next? Can he contact his government's CERT team or the authorities and hand them over the customer data, ip addresses used to upload the site etc. to try to get hold of the gang behind that fraud as quickly as possible? Or would that break the privacy laws and they have to wait to get a subpoena, which could take several weeks and give the gang enough time to clear all traces?
You should inform the responsible CERTs, in Switzerland MELANI, the registry, (for .ch and .li SWITCH cert@switch.ch) and the registrar if you are not a registrar yourself. Basicly to inform them about the malicious registrations and allow them to detect similar cases.
Handing over the logs to a CERT for victim notification doesn’t make so much sense in this case as victims will most likely notice that they are infected.
I think you should also contact KOBIK/FEDPOL and report the case as you are a victim. You should first ask them what data they need to investigate the case and then make your decision on handing over the data.
Best regards
Michael
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
------------------------------------ Michael Hausding, Competence Lead DNS & Domain Abuse SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 77, incident phone +41 44 268 15 40 michael.hausding@switch.ch http://securityblog.switch.ch