Gameover Zeus + CryptoLocker = a £100m heist

A multi-layered attack featuring Gameover Zeus (GOZ) and CryptoLocker has been temporarily disrupted. This post summarises key points of this widespread fraud.

Gameover Zeus is a botnet of hosts infected with a trojan that captures bank logins and bank account details, and can also be used to send spam and conduct DDoS attacks. As it utilises a peer-to-peer (P2P) protocol, the botnet is decentralised and resilient to take-down. It is estimated that between half a million and a million PCs are infected with GOZ.

CryptoLocker is ransomware that encrypts data on a system and demands payment of $300 in Bitcoins in return for the decryption key. In this two-pronged attack, CryptoLocker has been distributed through the GOZ network.

Russian citizen, Evgeniy Bogachev, has been named as head of the cyber gang controlling the Gameover Zeus / CryptoLocker attack. Last week, he was indicted by the Department of Justice. The US has no extradition treaty with Russia, so Bogachev is unlikely to be brought to justice.

The gang has netted over $100m from infected US systems which represent about a quarter of the total worldwide systems involved this attack. Overall, revenues would have totalled in excess of £100m – a lucrative heist for the gang.

Operation Tovar is a major initiative by international law enforcement to disrupt the Gameover Zeus botnet used by the gang, by redirecting requests to the command and control servers used to distribute and control the malware. This coordinated operation involved the FBI, the UK’s National Crime Agency (NCA) and Europol. In the takedown, two lists of domains used by the bot herder have been sinkholed. Several security companies assisted in successfully quarantining around two million PCs across North America, Europe and Asia.

These counter measures are temporary and will provide a two-week window of low activity before the attack recuperates. This has fuelled many over-reactive dire warnings in the media hype surrounding this threat. The danger is that the bot herder, feeling the heat from international law enforcement, may decide to activate CryptoLocker on a widespread scale across the GOZ network, in a last-ditch effort to attain even larger revenues.

It is likely that the botnet controllers will revive their network within two weeks. In the meantime, PC users are encouraged to keep their OS and AV up-to-date. Additional measures such as purpose-built anti-key logging solutions are also recommended. Online banking systems immune to Zeus are also far safer. Trend Micro have produced a removal tool which can be downloaded here.

Ransomware is certainly a current weapon of choice amongst cyber criminals. Last week iPhone users in Australia and the UK fell victim to ransomware with demands to pay $100 to an “Oleg Pliss” in order to regain access to their device. And this week, researchers uncovered SimpleLocker – ransomware with capabilities of encrypting files on Android devices. Even if victims pay the ransom, there is no guarantee that criminals will keep their word and deliver on the decryption or unlocking. I recommend that victims do not give in to ransom demands.

Leave a Reply

%d bloggers like this: