The Godfather neutralised, but malware mafia alive and kicking

Scores of malicious domains and phishing campaigns, in the aftermath of the global outage triggered by faulty software from CrowdStrike in July, are still actively pretending to seek feedback from impacted companies, cybersecurity experts said.

Cybercriminals were quick to exploit the chaos caused by the CrowdStrike crisis and send remote access or data wiper malware through phishing emails, which are then used as a ransom tactic.

Nearly 37,000 employees of top 350 global organisations have fallen prey to these phishing campaigns — termed as ‘Reap Blue Screen’ — and given away sensitive details, according to data from cybersecurity firm Cyfirma.


The malicious domains include crowdstrikefixer[.]com, crowdstrikehelp[.]com, pay[.]crowdstrikerecovery[.]com, britishairways[.]crowdstrike[.]feedback.

Links to these domains were forwarded through thousands of emails, enticing frenzied employees to pay for the return of their systems using GPay or debit cards.

Cyfirma has detected 900 such domains created since July 19, when the outage grounded airlines and brought several workplaces, hospitals, train stations and banks to a standstill.

“We observed malicious domains mushrooming in large numbers, registered with untrustworthy hosts (and) with domain lookalikes to CrowdStrike,” said Kumar Ritesh, founder of Cyfirma, who believes the motive is to exploit the fear among IT managers scrambling to find a solution to the global glitch.

“Cyfirma has just begun scratching the surface. Of the 450 domains that we have analysed, nearly 37,000 entries were made on these websites by global aviation, banking and IT companies,” he said.

CrowdStrike provides antivirus software to Microsoft, and a faulty software update to the Falcon Sensor agent by the former caused the blue screen of death (BSOD). This affected more than eight million Windows computers.

Days after the incident, the phishing domains are still actively pretending to seek feedback on behalf of CrowdStrike, which then gives them backdoor entry into companies’ sensitive systems.

“These kinds of black swan events become a fertile ground for cybercriminals because of the sheer scale of impact and the uncertainty surrounding the nature of outage,” said Sundareshwar K, partner and leader, cybersecurity, at PwC India. “At times, even trained IT professionals are likely to fall prey in the moment of chaos.”

“When facing a ransomware attack, the first step for organisations is to contain the blast radius. The second, of course, is to initiate emergency response plans and restore from backups so business operations can continue,” he added.