Cybercrime centers around the world cooperated to stop the ring of criminals responsible for multiple scams in recent years. To get an idea of the magnitude of the operation: the US Justice Department, the UK National Crime Agency, the European Cybercrime Centre and agencies in Australia, Canada, France, Japan, New Zealand, Ukraine, Germany and Italy all participated, along with Intel Corp, Microsoft, and security software companies Symantec, TrendMicro and F-Secure.
What were they investigating? The software developers who authored Gameover Zeus, and its sidekicks: the original Zeus trojan, which engineered the theft of financial passwords starting in 2006, and more recently, the CryptoLocker program, which encrypted files and demanded ransom for their release.
According to the Justice Department, “Cryptolocker alone infected more than 234,000 machines and won $27 million in ransom payments.” Between the Zeus trojan and the CryptoLocker ransomware, the gang is estimated to have gained more than $100 million, including a $750 ransom from a Massachusetts police department, whose investigative files were encrypted, and an unauthorized wire transfer of $198,000 from a Pennsylvania company.
Brett Stone-Gross, a Dell expert working with the FBI, explained that they took control of the Gameover Zeus botnets – or robot networks – so that they would only talk with the agencies’ infrastructure. Ukranian authorities seized command servers in Kiev and Donetsk, and other agents worked to seize servers around the world.
Russian Evgeniv Mikhaylovich Bogachev has been named by the FBI as a principal participant in the conspiracy. Although the US does not expect to catch him, as Russia does not extradite, this was done as part of a new policy of aggressive exposure of suspected criminals, similar to the recent indictment of members of China’s PLA for alleged economic espionage.
Officials warn that the window to remove traces of infection from infected computers may be short – as short as two weeks. Although the Zeus botnet has been shut down, as criminals regain control of their networks, they will continue to try to extort and directly access funds. The US Department of Homeland Security has created a website, www.us-cert.gov/gameoverzeus, to assist victims with removing the malware.