From Microsoft’s blog:
Notorious cybercrime gang’s botnet disrupted
Today we’re announcing that Microsoft’s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader is run by a modern internet-based global organized crime gang operating malware as a service that is designed to steal and extort money.
ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world connected to the internet that are infected with malware. These devices are then controlled by an organized criminal gang to conduct illegal activity through the distribution of malware including crippling ransomware and banking trojans resulting in the theft of millions of dollars from unsuspecting victims.
We obtained a court order from the United States District Court for the Northern District of Georgia allowing us to take control of 65 domains that the ZLoader organized criminal gang has been using to grow, control, and communicate with its botnet. The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. Zloader contains a domain generation algorithm (“DGA”) embedded within the malware that creates domains as a “fallback” backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take an additional 319 currently registered DGA domains. We are also working with the domain registry VeriSign to block the future registration of these additional DGA domains.
During our investigation, we identified one of the perpetrators behind the creation of a component leveraged by the operators of the ZLoader botnet. to distribute ransomware as Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula. We chose to name a specific individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the Internet to commit their crimes. Today’s legal action is the result of months of investigation that pre-date the current conflict in that region.
Originally, the primary goal of Zloader was financial theft, stealing account login IDs, passwords, and other information to take money from people’s accounts. Zloader also included a component that disabled popular security and antivirus software, thereby preventing victims from detecting the ZLoader infection. Over time those behind Zloader began offering the infrastructure as a Malware as a Service a delivery platform to distribute ransomware such as Ryuk. Ryuk is well known for targeting health care institutions with ransomware to extort payment without out regard to the patients that they put at risk.
DCU led the investigative effort behind this action in partnership with ESET, Black Lotus Labs (the threat intelligence arm of Lumen), and Palo Alto Networks, with additional data and insights to strengthen our legal case from our partners the Financial Services and Health – Information Sharing and Analysis Centers (FS-ISAC and Health-ISAC), in addition to our Microsoft Threat Intelligence Center and Microsoft Defender team.
Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang. We expect the defendants to make efforts to revive Zloader’s operations. We are tracking this activity closely and will continue to work with our partners to monitor the activities of these cybercriminals. We will work with Internet Service Providers to identify and remediate victims. As always, we’re ready to take additional legal and technical action to address Zloader and other botnets.