Darlene Storm

Wham bam: Global Operation Tovar whacks CryptoLocker ransomware & GameOver Zeus botnet

June 02, 2014 2:37 PM EDT

The U.S. Justice Department announced that an international law enforcement operation, Operation Tovar, seized control of the Gameover Zeus botnet, one of the most advanced Zeus variants, which had infected about 500,000 to one million computers running Microsoft Windows. About 25% of infected PCs are located in the USA.The GameOver Zeus network also began distributing the ransomware CryptoLocker in 2013.

FBI Operation Tovar takedown of Gameover Zeus and CryptoLockerCryptoLocker encrypts files on an infected computer and demands a ransom be paid in bitcoins to decrypt the files. Many victims who had not backed up their files were caving to the extortion. According to FBI estimates, over $27 million in ransom payments were made in the first two months after CryptoLocker emerged. As of April 2014, over 234,000 computers had been infected.

“Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cybercrimes that you might not believe if you saw them in a science fiction movie,” reported the DOJ.

By secretly implanting viruses on computers around the world, they built a network of infected machines – or “bots” – that they could infiltrate, spy on, and even control, from anywhere they wished. Sitting quietly at their own computer screens, the cyber criminals could watch as the Gameover Zeus malware intercepted the bank account numbers and passwords that unwitting victims typed into computers and networks in the United States. And then the criminals turned that information into cash by emptying the victims’ bank accounts and diverting the money to themselves.

Justice Department Assistant Attorney General Leslie Caldwell stated:

Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week. We have already begun providing victim information to private sector parties who are poised to assist them. I am also pleased to report that, by Saturday, Cryptolocker was no longer functioning and its infrastructure had been effectively dismantled. Through these court-authorized operations, we have started to repair the damage the cyber criminals have caused over the past few years, we are helping victims regain control of their own computers, and we are protecting future potential victims from attack. 

The FBI announced “the unsealing of criminal charges in Pittsburgh and Omaha against alleged botnet administrator Evgeniy Mikhailovich Bogachev of Anapa, Russian Federation.” The FBI added Bogachev to its Cyber’s Most Wanted list.

Court orders in federal court “authorize the FBI to identity the IP addresses of the victim computers reaching out to the substitute servers and to provide that information to Computer Emergency Readiness Teams (CERTs) around the world, as well as to Internet service providers and other private sector parties who are able to assist victims in removing GameOver Zeus from their computers. Important note: No contents of victim communications are captured or accessible in the disruption process.”

US-CERT (United States Computer Emergency Readiness Team) also issued a GameOver Zeus P2P Malware alert today.

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet. 

US-CERT recommended the following solutions: Use and maintain anti-virus software; Change your passwords; Keep your operating system and application software up-to-date; Use anti-malware tools. Examples of anti-malware programs that can identify and remove GOZ include F-Secure online scanner for Windows Vista, 7 and 8; Microsoft Safety Scanner for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP; as well as Heimdal, Sophos, Symantec and Trend Micro.

Is your PC infected? The FBI warns, “If you notice one or more of these actions on your computer, you may have been infected with the GameOver Zeus malware.” Those suspicious "actions" are:

  • Your computer system operates very slowly.
  • Your cursor moves erratically with no input from you.
  • You notice unauthorized logins to your bank accounts or unauthorized money transfers.
  • Text-based chat windows appear on your computer’s desktop unexpectedly.
  • Your computer files lock up and a ransom demand is made to unlock files. 

“People have ‘two weeks’ to protect themselves from a ‘powerful computer attack, the UK's National Crime Agency (NCA) has warned.” That two week window is how long the NCA believes it will take before the criminals setup new Command and Control (C&C) servers elsewhere and again hijack infected PCs. The BBC added that the “warning is not intended to cause you panic but we cannot over-stress the importance of taking these steps immediately."

Like US-CERT, the UK’s NCA published a list of recommended software that can check if a PC is infected with GOZ. The Get Safe Online website could not be reached at the time of publication, but the connection timing out was attributed to a technical problem and “was not due to high traffic or a cyber attack.”

The GameOver network has stolen more than $100 million from hundreds of thousands of PCs. The TribLive listed some of the victims such as for GameOver: An Indian tribe in Washington state that lost more than $277,000; A regional bank in northern Florida that lost nearly $7 million; and a corporation operating assisted living facilities in Eastern Pennsylvania, which lost more than $190,800.

For CryptoLocker, some of the 120,000 victims in the U.S. included: A local Massachusetts police department that paid $750 ransom to decrypt “its main file server, including administrative documents, investigative materials, and digital photo mug shots.” A Florida restaurant spent $30,000 in damages; a Pittsburgh insurance company spent $70,000; and a North Carolina pest control company spent “$80,000 to recover its customer database and appointment schedule after they were corrupted.”

Do not delay. Scan your PC now.

A great big congratulations to the white hats for this huge win!