DOJ Disrupts Gameover Zeus Botnet
The DOJ has declared a victory over the Cryptolocker Trojan stating that it is now out of commission.
Authorities in 10 countries seized servers believed to be connected to Gameover Zeus, a tightly controlled botnet that has plagued computer users worldwide. The botnet was also believed to be connected to CryptoLocker, the ransomware that locked up the files of victims and businesses and attempted to extort money for the key to access the frozen files. Police seized servers connected to the botnet in Canada, France, Germany Luxemboug, the Netherlands, Ukraine and the United Kingdom, investigators said. The FBI added Evgeniy Mikhailovich Bogachev to its most wanted list on Monday. The 30-year-old Anapa, Russia, resident was allegedly the principal administrator behind the Gameover Zeus botnet. Others are believed to be in Russia or Ukraine.
That’s very good news for computer users worldwide, unfortunately – this could be a short lived respite: Ransomware kits, which automate the process for criminals, are becoming more prevalent, Intel Security announced, predicting malware infections to increase on mobile devices. Security vendor Sophos has detected Simplelocker, an Android Trojan that encrypts mobile files and demands payment using the similar Cryptolocker extortion scam.
The FBI estimates that there were $27 million in ransom payments made in the first two months of CryptoLocker’s emergence. Constant vigilance and a good, solid offsite backup solution is our only salvation when confronted with attacks like this. It’s been so lucrative for the criminals, you can bet we haven’t seen the last of this type of attack yet.
The following list was compiled from the victims identified in court documents unsealed Monday in U.S. District Court of Western Pennsylvania.
Pennsylvania Manufacturer: $375,000 Stolen
Haysite Reinforced Plastics, an Erie, Penn.-based manufacturer was bilked of more than $375,000 in October, 2011. Several employees at the company had their computers infected with malware and in a two day period Bogachev’s group allegedly transferred money from Haysite’s PNC bank account to a money mule accounts at banks in Atlanta and New York City. Investigators said the attackers could inject additional information in the form fields into the website displayed in the victim’s browser to request a Social Security number, credit card information and other sensitive information often used as a challenge mechanism by financial institutions to validate the authenticity of a transaction
Washington Indian tribe: $277,000 Stolen
An Indian tribe, based in Washington, lost more than $277,000 after an authorized wire transfer was initiated with its bank using stolen credentials, according to the court documents. Stealing banking credentials was the principal aim of Gameover Zeus, but the botnet of infected systems also was used to send out spam and conduct attacks to steal other types of sensitive data.
Assisted Living Facility Operator: $190,800 Stolen
Thieves allegedly stole more than $190,800 after stealing account credentials from an employee at an assisted living facility operator based in Eastern Pennsylvania. Investigators say Gameover Zeus was increasingly used to conduct other attacks, including phishing and spam campaigns. Between 500,000 and 1 million computers were infected with the Gameover Zeus malware globally
Regional Bank: $7 Million Stolen
A regional bank in Northern Florida lost nearly $7 million after the criminals allegedly used stolen account credentials to transfer funds out of its main bank account. The Zeus Gameover operators conduct denial of service attacks in conjunction with their fraudulent wire transfers, according to the FBI warning.
Insurance Company: $70,000 Loss
A Pittsburgh-based insurance company had critical business files encrypted by a CrytpoLocker infection. The company repaired the damage by wiping the infected systems and restoring from backup but estimates the loss of business — it sent employees home during the remediation — and the cost of wiping and reimaging infected systems at $70,000.
Restaurant Operator: $30,000 Loss
A Florida restaurant operator had more than 10,000 files encrypted by CryptoLocker, according to investigators. Employees were locked out of the company’s team training documents, franchise operation files and recipe folders. Remediation costs associated with the infection were estimated at $30,000. The criminals behind the threat gave victims 72 hours to pay the CryptoLocker ransom in Bitcoins or face permanent destruction of the private key. In addition, the thieves threatened to destroy the private key to unlock the files if it detected any attempt to remove CryptoLocker.
Massachusetts Police Department: $750 Ransom
A local police department based in Swansea, Mass., paid a $750 ransom to the criminals behind CryptoLocker after the agency’s main file server, including administrative documents, investigative materials and digital photo mug shots were encrypted by the malware. The department paid funds last November to send two Bitcoins to the thieves for the key to unlock the files.
Pest Control Company: $80,000 Loss
A North Carolina-based pest control company said it racked up $80,000 in infection removal costs associated with CryptoLocker when an infection spread to its customer database and schedule of appointments. The company’s backup server also was encrypted by the malware.