Cops seize 800,000 domains in sting on massive ransomware network

A four year investigation by German police has culminated in a coordinated takedown of around 830,000 domains used to control hundreds of thousands of ransomware infections.

An international law-enforcement operation dubbed Avalanche has decapitated a massive malware network behind notorious file-encrypting ransomware such as Teslacrypt and Cerber.

The malware network has been in operation since 2009, underpinned by around 600 servers and 830,000 domains that were used to distribute ransomware and manage infected computers.

On an average day, the network was responsible for herding about 500,000 bots and sent over one million spam email with malicious attachments, according to Europol.

The operation, which wrapped up on Wednesday, targeted 20 malware families, but resulted in a surprisingly small amount of arrests, numbering five individuals in total. However, 39 servers were seized and 221 servers were taken offline via abuse notifications sent to hosting providers.

The operation was assisted by organizations and law enforcement from 30 nations, including Australia, severing the connection between the botnet’s command and control infrastructure and infected machines.

The takedown may hamper ransomware that has caused pain for countless consumers and businesses over the past five years. However, previous botnet takedowns have resulted in only a temporary reprieve. Besides this, new threats are on the rise, such as the open-source Mirai malware and its high-powered distributed denial of service (DDoS) attacks.

While the Avalanche attackers cannot use neutered infrastructure to control infected machines, end users will still need to do independently run a range of malware removal tools that have been made available to clean up devices. Europol provides several links that can be used to do this. The UK’s National Crime Agency has posted links to similar tools provided Microsoft, Symantec, McAfee, F-Secure, and ESET here.

According to security firm Bitdefender, the operation hit widespread ransomware variants Cerber and Teslacrypt, as well as malware linked to online banking thefts and macro-enabled malware, such as Dridex. It has also provided malware removal tools.

Symantec notes that a number of older police-themed ransomware screen locking malware were also disrupted by the action.

The trigger for the operation was a 2012 outbreak in Germany of file-encrypting ransomware in 2012, according to Europol.

Germany’s Federal Office for Information Security and Fraunhofer (FKIE) trawled around 130 TB of data to identify the botnet's servers, leading to Wednesday’s server takedown.

The Avalanche network was structured around three rings, the outer layer of 800,000 domain addresses standing ready for infected computers to connect and receive instructions.

Key to the outer layer was an algorithm that pumped out a torrent of new domain names. In tandem with a second layer proxy servers, this was designed to evade efforts to pin it down.

A third layer and the core of the network was used by the network’s main administrators to manage money transfers and control instructions that govern what different malware variants would do with each infected computer.

Nations that participated in the takedown include Armenia, Australia, Austria, Azerbaijan, Belgium, Belize, Bulgaria, Canada, Colombia, Finland, France, Germany, Gibraltar, Hungary, India, Italy, Lithuania, Luxembourg, Moldova, Montenegro, Netherlands, Norway, Poland, Romania, Singapore, Sweden, Taiwan, Ukraine, the UK and the US.

The operation was led by Germany’s Public Prosecutor’s Office Verden and the Lüneburg Police, in cooperation with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice and the FBI, Eurojust, and Europol.

Tags Microsoftsymantecmcafeebitdefenderf-securedomainsCSO AustraliaTeslaCryptLiam TungCerberransomware network

Show Comments