Notorious cybercrime gang’s botnet disrupted – Microsoft On the Issues – Microsoft
https://ift.tt/YztmqOs
Apr 13, 2022 | Amy Hogan-Burney – General Manager, Digital Crimes Unit
Today, we’re announcing that Microsoft’s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.
We obtained a court order from the United States District Court for the Northern District of Georgia allowing us to take control of 65 domains that the ZLoader gang has been using to grow, control and communicate with its botnet. The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains.
During our investigation, we identified one of the perpetrators behind the creation of a component used in the ZLoader botnet to distribute ransomware as Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula. We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes. Today’s legal action is the result of months of investigation that pre-date the current conflict in the region.
Originally, the primary goal of Zloader was financial theft, stealing account login IDs, passwords and other information to take money from people’s accounts. Zloader also included a component that disabled popular security and antivirus software, thereby preventing victims from detecting the ZLoader infection. Over time those behind Zloader began offering malware as a service, a delivery platform to distribute ransomware including Ryuk. Ryuk is well known for targeting health care institutions to extort payment without regard to the patients that they put at risk.
DCU led the investigative effort behind this action in partnership with ESET, Black Lotus Labs (the threat intelligence arm of Lumen), and Palo Alto Networks Unit 42, with additional data and insights to strengthen our legal case from our partners the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC), in addition to our Microsoft Threat Intelligence Center and Microsoft Defender team. We also recognize the additional contribution from Avast in supporting our DCU field in Europe.
Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive Zloader’s operations. We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals. We will work with internet service providers (ISPs) to identify and remediate victims. As always, we’re ready to take additional legal and technical action to address Zloader and other botnets.
Tags: cyberattacks, cybercrime, ransomware
Apr 7, 2022 | Tom Burt
Mar 25, 2022 | Julie Brill
Feb 28, 2022 | Brad Smith
Feb 28, 2022 | Brad Smith
Feb 28, 2022 | Burton Davis
Feb 28, 2022 | Tom Burt
Have the latest posts sent right to your inbox. Enter your email below.
By providing your email address, you will receive email updates from the Microsoft on the Issues blog.
Follow us:
Tech
via Inferse.com https://www.inferse.com
May 13, 2022 at 06:07PM