The multinational effort that led to the disruption of the Gameover Zeus botnet that distributed the infamous Cryptolocker ransomware highlights what is possible when companies become more open with information during cybersecurity investigations, experts say.
The U.S. Department of Justice announced Monday that the global police effort had caused significant damage to the botnet believed responsible for more than $100 million in losses to companies and individuals.
In addition, criminal charges unsealed by U.S. courts identified the alleged administrator of the botnet that targeted banking credentials as Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. Bogachev, who remains on the lam, was charged with conspiracy, computer hacking, bank and wire fraud and money laundering.
The botnet operators were as big a threat to business as individuals, experts said. They were particularly good at conducting wire fraud after distracting banks with distributed denial of service attacks.
"What isn't well known to the public is that these attacks were widespread for a long time and caused a big scare in the financial services industry," Lucas Zaichkowsky, enterprise defense architect at digital forensics company AccessData, said in an email. "My sources tell me that most banks were hit."
Law enforcement could not have disrupted the botnet of from 500,000 to 1 million compromised computers without cooperation from the banks and businesses that were victimized by the Cryptolocker ransomware, Steve Chabinsky, general counsel and chief risk officer for cybersecurity firm CrowdStrike, said.
Cryptolocker was responsible for $27 million in ransom payments from some of the owners of the more than 234,000 computers compromised.
CrowdStrike assisted law enforcement in its Gameover Zeus investigation, which the company said was codenamed Operation Tovar.
Unfortunately, many businesses victimized by botnet operations are not as forthcoming with information as they should, Chabinsky said. Those that are more open make busts like the latest operation possible.
"Business caught in these types of schemes should not be embarrassed to bring it (information) forward to law enforcement," he said. "Law enforcement is in need of information and is acting to determine what the greatest threats are and then in a coordinated fashion with law enforcement throughout the world and industry is taking action."
Cryptolocker was particularly nasty because the malware would encrypt a computer's hard drive and victims would have to pay criminals as much as $700 for the keys to unlock the data.
Bogachev was the alleged administrator of the Cryptolocker operations, as well as the overall botnet.
"There are companies that have paid ransoms to Cryptolocker and the infection can impact businesses just as easily as it impacts individuals," Chabinsky said. "Business are involved in this and a lot of them are concerned about reporting to law enforcement."
Sign up for CIO Asia eNewsletters.