International Malware Crackdown Revealed

Gameover Zeus Botnet, Cryptolocker Ransomware Targeted
International Malware Crackdown Revealed

Law enforcement agencies from around the world took part in a coordinated operation to disrupt the botnet used to spread the malware known as Gameover Zeus and seize computer servers crucial to the ransomware known as CryptoLocker. Plus, a Russian citizen has been indicted in connection with the case.

See Also: OnDemand | Adversary Analysis of Ransomware Trends

The operation took place on May 30, according to Europol, the European Union's law enforcement agency, which took part in the investigation that was led by the U.S. Federal Bureau of Investigation.

Gameover Zeus is designed to steal banking and other credentials from computers it infects, the FBI says. The malware first emerged around September 2011 as the latest version of the Zeus malware. Security researchers estimate that between 500,000 and 1 million computers worldwide are infected with Gameover Zeus, and that approximately 25 percent of the infected computers are located in the U.S., authorities say. The FBI estimates that Gameover Zeus is responsible for more than $100 million in losses.

CryptoLocker encrypts files and then demands that the infected user pay a fee to have the files decrypted (see: New Ransomware Targets Mobile) . As of April 2014, CryptoLocker had infected more than 234,000 computers, half of those in the United States, according to the U.S. Justice Department. One estimate indicates that more than $27 million in ransom payments were made in just the first two months after Cryptolocker emerged, authorities note.

Global Effort

"This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data," says James Cole, U.S. deputy attorney general, in a June 2 announcement. "We succeeded in disabling Gameover Zeus and CryptoLocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world."

In addition to the FBI and Europol, investigators in several countries participated in the operation. Security vendors, including Symantec, Dell SecureWorks, Microsoft and McAfee, also offered support for the operation.

Symantec says the FBI was able to seize a "large amount" of the infrastructure used by both Gameover Zeus and CryptoLocker. The company has also released a free online tool that victims can use to remove Gameover Zeus from their computers.

Gameover Zeus Takedown

Gameover Zeus is designed to steal banking and other credentials from the computers it infects, the FBI says. The infected computers then become part of a global network of compromised computers known as botnets.

The principal purpose of the botnet is to capture banking credentials from infected computers, which are then used to initiate or redirect wire transfers to accounts overseas that are controlled by cybercriminals.

As part of its takedown, the U.S. has obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers established by the court order, the Justice Department says.

"The order authorizes the FBI to obtain the IP addresses of the victim computers reaching out to the substitute servers and to provide that information to U.S.-CERT to distribute to other countries' CERTS and private industry to assist victims in removing the Gameover Zeus malware from their computers," authorities say.

The U.S. Computer Emergency Readiness Team issued a technical alert on June 2 on the Gameover Zeus botnet. A system infected with the Gameover Zeus may be used to send spam, participate in distributed-denial-of-service attacks and harvest users' credentials for online services, including banking services.

U.S. CERT offers up several solutions for individuals whose computers may be infected by Gameover Zeus, including using and maintaining anti-virus software, changing passwords, keeping operating systems and application software up to date and using anti-malware tools.

In the second crackdown, the FBI led a coordinated effort, along with the help of several security vendors and universities, to identify and seize computer servers acting as command-and-control hubs for the CryptoLocker malware.

The malware uses cryptographic key pairs to encrypt the computer files of its victims. Cybercriminals then demand victims pay hundreds of dollars to receive the key necessary to unlock their files, authorities say.


The FBI has also filed a complaint against Evgeniy Mikhailovich Bogachev, a Russian citizen, who they allege is the leader of the criminal enterprise responsible for Gameover Zeus and CryptoLocker.

A federal grand jury in Pittsburgh unsealed a 14-count indictment against Bogachev, 30, of Anapa, Russian Federation, charging him with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as an administrator of the Gameover Zeus botnet.

Bogachev was also charged by criminal complaint with conspiracy to commit bank fraud related to his alleged involvement in the operation of a prior variant of Zeus malware known as Jabber Zeus. He is the alleged leader of a tightly knit gang of cybercriminals based in Russia and Ukraine that is responsible for the development and operation of both the Gameover Zeus and CryptoLocker schemes, according to the Justice Department.

The international law enforcement investigation determined that the Gameover Zeus network is used as a common distribution mechanism for CryptoLocker. Bogachev is alleged in civil filings to be an administrator of both Gameover Zeus and CryptoLocker.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.