The multinational effort that led to the disruption of the Gameover Zeus botnet that distributed the infamous Cryptolocker ransomware highlights what is possible when companies become more open with information during cybersecurity investigations, experts say.
[Zeus malware found with valid digital certificate]
The U.S. Department of Justice announced Monday that the global police effort had caused significant damage to the botnet believed responsible for more than $100 million in losses to companies and individuals.
In addition, criminal charges unsealed by U.S. courts identified the alleged administrator of the botnet that targeted banking credentials as Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. Bogachev, who remains on the lam, was charged with conspiracy, computer hacking, bank and wire fraud and money laundering.
The botnet operators were as big a threat to business as individuals, experts said. They were particularly good at conducting wire fraud after distracting banks with distributed denial of service attacks.
"What isn't well known to the public is that these attacks were widespread for a long time and caused a big scare in the financial services industry," Lucas Zaichkowsky, enterprise defense architect at digital forensics company AccessData, said in an email. "My sources tell me that most banks were hit."
Law enforcement could not have disrupted the botnet of from 500,000 to 1 million compromised computers without cooperation from the banks and businesses that were victimized by the Cryptolocker ransomware, Steve Chabinsky, general counsel and chief risk officer for cybersecurity firm CrowdStrike, said.
Cryptolocker was responsible for $27 million in ransom payments from some of the owners of the more than 234,000 computers compromised.
CrowdStrike assisted law enforcement in its Gameover Zeus investigation, which the company said was codenamed Operation Tovar.
Unfortunately, many businesses victimized by botnet operations are not as forthcoming with information as they should, Chabinsky said. Those that are more open make busts like the latest operation possible.
"Business caught in these types of schemes should not be embarrassed to bring it (information) forward to law enforcement," he said. "Law enforcement is in need of information and is acting to determine what the greatest threats are and then in a coordinated fashion with law enforcement throughout the world and industry is taking action."
Cryptolocker was particularly nasty because the malware would encrypt a computer's hard drive and victims would have to pay criminals as much as $700 for the keys to unlock the data.
Bogachev was the alleged administrator of the Cryptolocker operations, as well as the overall botnet.
"There are companies that have paid ransoms to Cryptolocker and the infection can impact businesses just as easily as it impacts individuals," Chabinsky said. "Business are involved in this and a lot of them are concerned about reporting to law enforcement."
Those concerns are understandable given the potential legal problems that could arise if companies share information related to customers or partners. Some experts advocate Congress providing protection to businesses when sharing information related to cybersecurity.
"There is a need to provide clear guidance on how cyber-warfare is to be conducted, how attribution of attacker is determined, how commercial safe harbor and liability of consequence for warfare is to be handled, said Philip Lieberman, president and chief executive of Lieberman Software, which specialized in identity management.
In addition, legislation could help Internet service providers work closer with law enforcement to take down botnets.
"There is no legislation that allows the ISPs that connect the infected machines to quell the outbreak by monitoring and blocking the traffic," Lieberman said.
[Wicked hybrid of Zeus and Carberp malware unleashed into the wild]
Companies that can find a way around these concerns can be a big help to law enforcement in raising the cost for cybercriminals building botnets to attack businesses.
"Working on coordinated efforts with the government to go after the threat actors is far more cost effective for business than constantly trying to build larger walls," Chabinsky said.