GameOver Zeus and Cryptolocker: Law enforcement hits gang responsible

FBI names as "Most Wanted" the leader of cyber criminal gang based in Russia and Ukraine responsible for both GameOver Zeus and Cryptolocker schemes, as law enforcement agencies crack down on cyber crime infrastructure.

FBI names as “Most Wanted” the leader of cyber criminal gang based in Russia and Ukraine responsible for both GameOver Zeus and Cryptolocker schemes, as law enforcement agencies crack down on cyber crime infrastructure.

If you follow developments in cyber crime you probably saw that Evgeniy Bogachev has been added to the FBI’s Most Wanted list for cyber criminals. Bogachev was identified in U.S. court documents this week as “the leader of a gang of cyber criminals based in Russia and the Ukraine responsible for the development and operation of both the GameOver Zeus and Cryptolocker schemes.”

These two schemes were used to execute a range of despicable cyber crimes that robbed consumers, companies, and even non-profit organizations of millions of dollars. The GameOver Zeus malware created a botnet that helped to spread Cryptolocker, code that was used to encrypt the files of victims and extort money from them in a scheme known as ransomware. But GameOver Zeus was also used to steal personal data and money by carrying out fraudulent banking transactions using the accounts of its victims.

Note that all ESET products have been detecting and removing this malware since 2012 with detection name Win32/Spy.Zbot.AAU, as described by our Virus Radar. Of course, anyone can use the free ESET Online Scanner to scan their system for GameOver Zeus related threats. For more details on dealing with this threat see ESET Knowledgebase article SOLN3538.

Score one for the good fight

The various steps taken by law enforcement to take down GameOver Zeus, know as Operation Tovar, combined with other recent crackdowns like the one against Blackshades, could well add up to a big leap forward in the fight against cyber crime as it sends a clear message to those responsible that they are not untouchable. No, not all of these crooks have been arrested. But my contacts in international law enforcement assure me that having your face plastered all over the Internet as “Most Wanted” definitely puts a crimp in the cyber criminal lifestyle. Eventual arrest is very likely, and until then many simple things like travel and financial transactions can be a huge hassle.

The many parties involved in these actions deserve our praise and gratitude, not least for presenting some exceptionally clear statements about what was accomplished. I’m going to quote them extensively in an effort to counter some of the confused reporting that has been mixing up elements of the story. Let’s begin with the indictment against Bogachev:

“A federal grand jury in Pittsburgh unsealed a 14-count indictment against Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation, charging him with conspiracy, computer hacking, wire fraud, bank fraud, and money laundering in connection with his alleged role as an administrator of the GameOver Zeus botnet. Bogachev was also charged by criminal complaint in Omaha with conspiracy to commit bank fraud related to his alleged involvement in the operation of a prior variant of Zeus malware known as Jabber Zeus.”

Now, here’s the injunction story, also excerpted from the detailed FBI account:

In a separate civil injunction application filed by the United States in federal court in Pittsburgh, Bogachev is identified as a leader of a tightly knit gang of cyber criminals based in Russia and Ukraine that is responsible for the development and operation of both the GameOver Zeus and Cryptolocker schemes. An investigation led in Washington, D.C., identified the GameOver Zeus network as a common distribution mechanism for Cryptolocker. Unsolicited e-mails containing an infected file purporting to be a voice-mail or shipping confirmation are also widely used to distribute Cryptolocker. When opened, those attachments infect victims’ computers. 

And then the takedown, in which law enforcement has been authorized by the courts to “redirect the automated requests by victim computers [the botnet] for additional instructions away from the criminal operators [command and control servers] to substitute servers:

 The order authorizes the FBI to obtain the Internet protocol addresses of the victim computers reaching out to the substitute servers and to provide that information to US-CERT to distribute to other countries’ CERTS and private industry to assist victims in removing the GameOver Zeus malware from their computers. 

Note that the FBI says this has been done without privacy violations: “At no point during the operation did the FBI or law enforcement access the content of any of the victims’ computers or electronic communications.”

What is clear from these accounts is something we have been saying here on We Live Security for a long time: cyber crime is evolving on an industrial scale with the intent to make money off people who rely on computers in their business and daily lives, with no regard to the pain and suffering these crimes inflict. According to the FBI, losses attributable to GameOver Zeus are “estimated to be more than $100 million.” That does not include the opportunity costs of protective and corrective measures, nor the drag on productivity that cyber crime at this scale imposes.

What’s next?

I anticipate further progress on three fronts. First, the pursuit of the persons named in the recent indictments and injunctions, hopefully resulting in apprehension and prosecution. I think this will have a strong deterrent effect on some current and wannabe cyber criminals.

Second, I think we will see further takedowns and indictments related to other cyber crime operations. It is no secret that security companies like ESET and those named by the FBI in the GameOver Zeus takedown are actively involved with ongoing investigations. The work is hard and it takes a frustratingly long time to get to the point where indictments can be handed down, but people should know that such work is going in.

Third, I see the public continuing to increase its security awareness and practice better cyber hygiene. We would all like technology to solve the cyber crime problem but it cannot. Reducing cyber crime will take sustained law enforcement efforts, at all levels, from the local to the international, plus cooperation from companies and consumers playing their part to prevent the spread of malware and stop unauthorized access to systems and data. That means consistent use of strong anti-malware, strong authentication, and strong encryption. Together, we can make a difference.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center