Businesses can do more in battle against Gameover Zeus-like botnets

The multinational effort that led to the disruption of the Gameover Zeus botnet that distributed the infamous Cryptolocker ransomware highlights what is possible when companies become more open with information during cybersecurity investigations, experts say.

[Zeus malware found with valid digital certificate]

The U.S. Department of Justice announced Monday that the global police effort had caused significant damage to the botnet believed responsible for more than $100 million in losses to companies and individuals.

In addition, criminal charges unsealed by U.S. courts identified the alleged administrator of the botnet that targeted banking credentials as Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. Bogachev, who remains on the lam, was charged with conspiracy, computer hacking, bank and wire fraud and money laundering.

The botnet operators were as big a threat to business as individuals, experts said. They were particularly good at conducting wire fraud after distracting banks with distributed denial of service attacks.

"What isn't well known to the public is that these attacks were widespread for a long time and caused a big scare in the financial services industry," Lucas Zaichkowsky, enterprise defense architect at digital forensics company AccessData, said in an email. "My sources tell me that most banks were hit."

Law enforcement could not have disrupted the botnet of from 500,000 to 1 million compromised computers without cooperation from the banks and businesses that were victimized by the Cryptolocker ransomware, Steve Chabinsky, general counsel and chief risk officer for cybersecurity firm CrowdStrike, said.

Cryptolocker was responsible for $27 million in ransom payments from some of the owners of the more than 234,000 computers compromised.

CrowdStrike assisted law enforcement in its Gameover Zeus investigation, which the company said was codenamed Operation Tovar.

Unfortunately, many businesses victimized by botnet operations are not as forthcoming with information as they should, Chabinsky said. Those that are more open make busts like the latest operation possible.

"Business caught in these types of schemes should not be embarrassed to bring it (information) forward to law enforcement," he said. "Law enforcement is in need of information and is acting to determine what the greatest threats are and then in a coordinated fashion with law enforcement throughout the world and industry is taking action."

Cryptolocker was particularly nasty because the malware would encrypt a computer's hard drive and victims would have to pay criminals as much as $700 for the keys to unlock the data.

Bogachev was the alleged administrator of the Cryptolocker operations, as well as the overall botnet.

"There are companies that have paid ransoms to Cryptolocker and the infection can impact businesses just as easily as it impacts individuals," Chabinsky said. "Business are involved in this and a lot of them are concerned about reporting to law enforcement."

Those concerns are understandable given the potential legal problems that could arise if companies share information related to customers or partners. Some experts advocate Congress providing protection to businesses when sharing information related to cybersecurity.

"There is a need to provide clear guidance on how cyber-warfare is to be conducted, how attribution of attacker is determined, how commercial safe harbor and liability of consequence for warfare is to be handled, said Philip Lieberman, president and chief executive of Lieberman Software, which specialized in identity management.

In addition, legislation could help Internet service providers work closer with law enforcement to take down botnets.

"There is no legislation that allows the ISPs that connect the infected machines to quell the outbreak by monitoring and blocking the traffic," Lieberman said.

[Wicked hybrid of Zeus and Carberp malware unleashed into the wild]

Companies that can find a way around these concerns can be a big help to law enforcement in raising the cost for cybercriminals building botnets to attack businesses.

"Working on coordinated efforts with the government to go after the threat actors is far more cost effective for business than constantly trying to build larger walls," Chabinsky said.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of Justicecyber criminalsbotnet takedownsapplicationssecuritysoftwareransomwaredata protectionmalwarecybercrime operation

More about AccessDataDepartment of JusticeLieberman Software

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place