In the previous episode of Malicious Life, we discussed the roots of the ransomware phenomena (malicious software that prevents the user from accessing the files on their computer, and demands ransom in order to release those files). We also discussed the two big challenges cybercriminals face-devising effective encryption that is hard to crack and figuring out a monetization strategy that keeps the criminal anonymous and doesn’t allow the victim to cancel the payment or get a refund.
In September 2013, a new ransomware was discovered, named CryptoLocker. CryptoLocker would seek out a specific type of files - for example, Excel and Word files, pictures, and videos - encrypt them, and then pop up a threatening message on the computer’s screen: Pay $300 or all your files will be deleted forever! A timer at the corner of the screen would start counting down 72 hours.
Now, information security experts had already encountered ransomware in the years prior to CryptoLocker, so the threat it presented to the users wasn’t new. What was new was one of the payment options that the ransomware offered its victims-Bitcoin.
Bitcoin, first created in 2009, is a virtual cryptographic currency. That means it is a currency that exists only in the virtual world and is based on encryption algorithms. Bitcoin has a few fascinating characteristics that differentiate it from traditional currencies such as the Dollar and the Euro, which are also usable online- but the characteristic most relevant to us is that Bitcoin, among all other recognizable currencies, is the closest thing to cash.
CryptoLocker is arguably the first modern ransomware. It appeared out of nowhere. It was the first to combine the concept of ransomware with the novel technology of bitcoin. So 2013 was the year that marked the rise of ransomware.
It was obvious that whoever created CryptoLocker knew what they were doing. The file encryption algorithm was impeccable and uncrackable. Spreading the malware via Email was also highly effective: the emails containing the infected file were designed in a way that would appear as though they came from clients of the recipient, or from respectable establishments. CryptoLocker was clearly created by professionals, and not by teens looking to have some fun with malware in their spare time, or criminals looking for quick cash.
Naturally, CryptoLocker’s great success and the huge damage it created attracted the attention of information security companies and law enforcement agencies. The ransomware itself didn’t contain any hints regarding the identity of its creators, but investigators did have a lead in the way that the ransomware was distributed online.
The name Slavik has been known to information security people since 2006 at least. Slavik is the nickname of a programmer who created one of the most infamous malwares: Zeus. This was a very sophisticated and stealthy malware used mainly for breaking into bank accounts. Slavik, and a gang of Russian-Ukrainian criminals who were cooperating with him, broke into the accounts of dozens of companies and organizations and stole tens of millions of dollars from them. In 2010, the FBI was able to put its hands on some of Slavik’s partners in crime and stop the gang’s criminal activity in the US, but Slavik himself was never caught, and his true identity remained a mystery.
Slavik went into hiding. In “underworld” forums, he declared his retirement and even sold the code to Zeus to another criminal. No one heard anything from him for some months, but his ‘retirement’ turned out to be a bluff. In 2011, a new malware was discovered, which was a better, more sophisticated version of Zeus. The name given to it was GameOver Zeus.
In 2013, a Dutch company called Fox IT was able to lay its hands on a server that was used by Slavik, and the information extracted from it provided the investigators with a rare insight into the evil empire that this slippery criminal established. The gang Slavik gathered around himself contained 50 seasoned and experienced cyber-criminals, each of them specializing in a different aspect of the “trade”: some were responsible for hacking into bank accounts, others managed the transfer of funds throughout the world, and others the technical aspects of running the GameOver Zeus BotNet.
Gaining control of the server produced one more meaningful item: an email address used by Slavik. The Fox IT investigators scanned social media and found a profile attached to this address. It was the missing piece of the puzzle, which exposed Slavik’s true identity. Slavik’s real name was Evgeniy Mikhailovich Bogachev, a man in his mid 30s, living in Anapa, a tourist town by the Black Sea.
The FBI began planning an operation to take down GameOver Zeus’s BotNet: an operation nicknamed Operation Tovar. No one doubted that this would be one of the most complex and difficult cyber operations ever attempted. The Business Club’s tentacles spanned almost every corner of the globe: the crime organization’s nerve center was located in Russia and Ukraine, but it had servers and cooperatives in the USA and many European countries- not to mention the millions of computers all over the world infected with GameOver Zeus. FBI agents created ties and collaborations with organizations, law enforcement agencies, and information security companies all over the world. The goal was clear- to simultaneously strike Bogachev’s organization on multiple fronts and to knock it out before it had a chance to recover.
The additional challenge in operation Tovar was a technological one: taking control of the millions of computers infected with GameOver Zeus. The goal here was to wrestle control over the BotNet from Bogachev’s hands- something that would practically sever the tentacles of this crime-octopus. It was no simple matter: a special team from Microsoft tried to take over GameOver Zeus in 2012, and failed. Several American and German information security experts tried again in the beginning of 2013. They were able to take command of 99% of the computers on the BotNet, but the remaining 1% was all Bogachev needed in order to foil their plans and take back control of the entire network.
In early June 2014, authorities in several countries attempted to simultaneously seize servers owned by Bogachev’s gang, and at the same time, information security experts tried to take control of GameOver Zeus’s bots.
Catch the 6th episode of Malicious Life to hear the rest of the story, and hear Steven Cobb discuss the future of ransomware.
https://malicious.life/episode/episode-6-hell-to-pay/
![How Netflix Learned Cloud Security [ML B-Side]](https://www.cybereason.com/hubfs/Malicious-Life-episode%20%281%29-1.png)