The U.S. Department of Justice (DOJ) has disrupted the “most sophisticated botnet” that it has attempted to take down and announced criminal charges against one of its administrators, the department announced in a press conference Monday afternoon. Known as the Gameover Zeus Botnet, “a global network of infected victim computers used by cyber criminals to steal millions of dollars from businesses and consumers,” the botnet was disrupted by the FBI working with more than 10 other countries.
The department also announced that it had worked with foreign law enforcement officials to seize computer servers central to the malicious software (malware) known as Cryptolocker. The malware is a “form of ransomware that encrypts files on victims’ computers until they pay a ransom” to release them, according to a press release.
Deputy Attorney General James M. Cole and other government officials representing the various agencies involved in the operation made the announcement in Washington, D.C., in a media press conference.
“This operation disrupted a global botnet that had stolen millions from businesses and consumers, as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data,” Cole said. “We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world.”
Also known as Peer-to-Peer Zeus, Gameover Zeus “is an extremely sophisticated type of malware designed to steal banking and other credentials from the computer it infects,” according to a DOJ press release. Gameover Zeus emerged around September 2011 and is the latest version of a malware that began appearing in 2007. It operates “silently” on victim computers by directing them to reach out to receive commands from other computers in the botnet to funnel stolen banking credentials back to botnet administrators.
Once these credentials had been obtained, administrators used them to initiate or redirect wire transfers to accounts overseas that they controlled. “Security researchers estimate that between 500,000 and 1 million computers worldwide are infected with Gameover Zeus, and that approximately 25 percent of the infected computers are located in the United States,” the DOJ said.
FBI Executive Assistant Director Robert Anderson, Jr., said that Gameover Zeus is “the most sophisticated botnet the FBI and our allies have ever attempted to disrupt,” and the bureau estimates that it has caused more than $100 million in damages.
As part of disrupting Gameover Zeus, a federal grand jury in Pittsburgh, Pennsylvania, unsealed a 14-page indictment against Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation. The indictment charges him with “conspiracy, computer hacking, wire fraud, bank fraud, and money laundering in connection with his alleged role as an administrator of the Gameover Zeus botnet.” Additionally, Bogachev was also charged with a criminal complaint in Omaha, Nebraska, alleging conspiracy to commit bank fraud related to his involvement in a previous version of the botnet: Jabber Zeus.
Along with the criminal charges, a separate civil injunction has been filed by the United States in a federal court in Pittsburgh against Bogachev. In the civil suit, Bogachev is alleged to be a leader of a “tightly knit gang of cyber criminals in Russia and Ukraine that is responsible for the development and operation of both the Gameover Zeus and Cryptolocker schemes,” according to a press release. Bogachev is charged with being involved with both operations as an investigation identified that Gameover Zeus was a “common distribution mechanism for Cryptolocker.”
Cryptolocker, sometimes spelled as CryptoLocker, began appearing around September 2013 and “is a highly sophisticated malware that uses cryptographic key pairs to encrypt the computer files of its victims,” according to the DOJ. “Victims are forced to pay hundreds of dollars and often as much as $700 or more to receive the key necessary to unlock their files. If the victim does not pay the ransom, it is impossible to recover their files.”
Along with being distributed by Gameover Zeus, Cryptolocker also spreads through unsolicited e-mails that contain infected files pretending to be a voicemail or shipping confirmation numbers. When these files are opened, they infect victims’ computers with the ransomware. Researchers estimate that as of April 2014, Cryptolocker had infected more than 234,000 computers with approximately 50 percent of those in the United States. Additional estimates indicate that Cryptolocker in the first two months of its existence, the ransomware cost individuals more than $27 million in ransom payments.
Law enforcement agencies are still investigating Cryptolocker under the direction of the FBI’s Washington Field Office. Assisting in the operation are law enforcement from Canada, Germany, Luxembourg, the Netherlands, the United Kingdom, and Ukraine.
The actions taken against Cryptolocker are the result of an ongoing criminal investigation by the FBI’s Washington Field Office working in coordination with law enforcement from Canada, Germany, Luxembourg, the Netherlands, the United Kingdom, and Ukraine.
For more information on the charges against Bogachev and on the DOJ’s announcement, visit the department’s Web site here.