GameOver and Cryptolocker Busted

Category: Security

Two of the biggest, most sophisticated, and most profitable scams on the Internet were neutralized at the end of May. The FBI, working with counterparts in seven countries, have (at least temporarily) shut down the GameOver financial fraud botnet and the CryptoLocker ransomware organization. In light of this, there are TWO IMPORTANT STEPS I'm asking you to take...

Score Two Points for the Good Guys

Malware known as GameOver Zeus (GOZ) had been growing steadily for years, adding hapless computers to its Borg-like collective by infecting them with sneaky multi-function malware. Its captives numbered between 500,000 and a million, according to the court affidavit of FBI Special Agent Elliott Peterson. The malware on each enslaved computer allowed it to be used to send spam and participate in denial of service attacks, but its primary mission was “credential theft.”

The malware monitored the computer user’s keystrokes and mouse activity, the apps used, and Web sites visited. When the user logged on to a finance-related Web site, the malware captured usernames and passwords, transmitting them to its masters in Russia. The crooks would use the credentials to steal money in several ways.

GameOver Botnet

GOZ targeted mainly businesses with large payrolls, such as hospitals, whose direct-deposit payroll transactions could be redirected to “money mules,” people recruited to launder money for the GOZ masters. Direct wire transfers to international bank accounts were also common; the largest was $6.9 million at one time!

Cyberlocker is classic ransomware: malware that locks up a victim’s computer and bluntly demands payment of several hundred dollars to restore access to files and functionality. Its victims numbered in the tens of thousands. See my article on CryptoLocker and Ransomware.

The FBI investigated GOZ for over two years, sorting out its scope, functionality, and specific criminal activities upon which indictments and petitions for restraining orders could be based. Finally, authorities were able to obtain court permission to shut down the domains on which the GOZ servers were hosted, effectively ending the crime spree.

It turns out GameOver and Cryptolocker are connected to the same Russian cybercrook. One man has been identified and indicted: Evgeniy Mikhailovich Bogachev of the Black Sea town of Anapa, Russia. Four accomplices are named in the 14-count indictment only under their online aliases. The U. S. seeks to extradite Bogachev, but it is unlikely that Russia will hand him over. The Russian government has consistently refused to allow its citizens to be tried in foreign courts. Whether "Bogey" will face justice in a Russian court remains to be seen.

Internet users should applaud the collaboration of law enforcement organizations from around the world that helped to bring down this highly sophisticated cyber criminal. But here's the rub… the GameOver and CryptoLocker crime networks are crippled, but not destroyed. The command and control center has been seized, but experts predict that it can and will be reconstituted over the next two weeks.

What You Need to Do... NOW!

This gives users a chance to do two very important things. Without the command and control servers, Gameover and Cryptolocker lie dormant on infected computers. During this window of time, it's essential to clean up as many infected computers as possible. This will further weaken the peer-to-peer network that allows this malware to operate and spread.

I urge you to take the two steps listed below, and encourage all your friends, relatives and contacts to do the same:

First, use an anti-malware scanner to look for and remove any GOZ, CrytoLocker or other malware. See my article HOWTO: Deep Scan for Malware and choose one or more of the tools listed there. I suggest using MalwareBytes Anti-Malware and/or Microsoft System Sweeper, because they are on-demand scanners that will not interfere with your existing anti-virus protection.

Second, make sure your operating system and all third-party software is up to date. My article Computer Security: The Missing Link lists several tools to help you get that job done.

You can forward this article via email, Facebook or Twitter using the green ShareThis button at the top of page, or by pasting the article link into an email or social media posting. When you do, encourage your friends to take these two important steps to secure their computers, and help to take down a nasty cybercrime network.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 5 Jun 2014

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 04 June 2014

The Top Twenty
Next Article:
SNEAK PEEK: Apple's New Features

Most recent comments on "GameOver and Cryptolocker Busted"

Posted by:

David W Solomons
05 Jun 2014

This is great news.
However, it is probably still a good idea to lock down the roaming folder (and other temporary system folders) which malware like cryptolocker uses. A simple solution is offered by a site called foolishIT and its software cryptoprevent. (The latest version also allows whitelisting of legitimate software such as Spotify which uses the roaming folder)
Kind regards

Posted by:

05 Jun 2014

Thanks for the great news Bob, this is the first heard they finally nailed this guy and his cohorts.

I will be sharing this with all friends and family to help them understand what to do right NOW.

Personally I run a Malwarebytes Pro scan daily. You can never be too cautious.

Posted by:

John Komdat
05 Jun 2014

Thank you for your many years of fascinating and essential information about the Internet. Today's article recommends doing a deep scan for malware. Is this only for PCs? Are Macs immune from being a bot?

EDITOR'S NOTE: No, Macs are not immune. Google "Flashback botnet" and "Backdoor.Java.Agent.a." for two examples. The ones I've read about involve Java exploits.

Posted by:

05 Jun 2014

A very valuable article!

This article should get the highest possible distribution. I will forward it to my contacts.

As for Bogachev – rest assured that he will not be extradited.

The chances that Bogachev will “face justice in a Russian court” are very slim.

Bogachev surely shared some of his profits with those in charge of the Russian “justice system” and thus assured his invulnerability. Hackers also have business expenses...

See Bogachev’s page on FBI’s website

See pictures of Bogachev’s home in Anapa, where he lives with his wife and daughter. He owns the entire sixth floor, which he turned into a fortified bastion. The neighbours are well aware of his lavish lifestyle.

Posted by:

David Ruedeman
05 Jun 2014

Great Article and comments!! You should also perform a full backup and preferably keep the backup off-line. connecting it only when you have to update your backup.

Posted by:

Geoff Edwards
05 Jun 2014

I agree thanks Bob for being so quick off the mark. I have tried to download Microsoft system Cleaner for one of my pc's running XP Pro Service pack 3. The installer says it won't run on my version of Windows. The documentation says it should. I suppose this is another action by Microsoft to remove suppport for XP.

Posted by:

Harish Dobhal
05 Jun 2014

Thanks for this useful information and thanks to the agencies involved in this work. Internet has become a medium of choice for frauds and when this brazen and well known takes TWO YEARS of investigation just to obtain a warrant to close their operations, we can imagine how hard it could be for 'not so brazen but possibly even bigger' fraudsters.

Thanks Bob for the article and I promise to follow your two steps, BUT, will you do a little bit more? There are websites which offer small tasks for small amount of money and they earn a lot - not by fair business, but by inventing ways to deny hard workers their money.

There is one website which claims to pay its members a small amount of money (usually few cents) for petty tasks such as visiting a website and registering online. I worked for this site and when I started everything seemed so nice and easy - getting 10 odd cents for registering to some database etc. But, when I accumulated 5 odd dollars, they stopped me from working. The site asked me to first verify my mobile number. I promptly followed that and clicked the button to send me the verification code. One request, two requests, three requests and no code was ever sent! Now, they charged me few cents for any new request but even after several 'paid requests' to send me the code, I did not get one. There official customer care just don't respond. I searched the internet for similar cases and was surprised to know that this happened to many people.

I figured out what is actually happening there. They charge their customers some fee for those tasks, get those tasks done by people like me, and then use this method to block their access. Now the question is how does it work? Why people don't complain? The answer is - its such a small amount for most people (usually around 5 - 10 dollars). This way they continue cheating people who eventually leave the website but the final result is that makes profit.

So Bob, will you care enough to investigate this website for the greater good? I hope you do.

Posted by:

Brian S.
05 Jun 2014

Good news but I have some questions. Are Linux and android devices safe? What aniti-malware programs, if there are any, would you recommend for these?

EDITOR'S NOTE: Linux, Android and Apple devices are not suspectible to the GameOver and CryptoLocker malware, because they were developed specifically to attack Windows computers.

Posted by:

05 Jun 2014

Hi Bob.
Along the lines of both John Komdat's and Brian S.' comments, I am under the impression that both Mac and Linux are more secure than Windows, but still there's no invulnerable platform. So, for us who dwell in those "ecosystems", can you recommend some anti-malware tools? I already use Clam for both my Debian desktop and my MacBook (ClamX for the Mac)... but if there are some other tools you can point us, it would be great.
As always, a great article!

Posted by:

Brian S.
06 Jun 2014

It would seem to me that the CryptLocker program (or any other malware program for that matter) could be stored on a Linux, Android or Apple device just not executed. What if one was to connect that device to a Windows PC? Couldn't the malware program be transferred to it and then executed? I guess what I'm trying to ask here is are there any anti-malware programs that can run on Linux, Android or Apple devices that could detect and delete these malware programs that are designed to infect Windows PC's? Hmmmmm, sounds like a great idea for an app. Just connect your device to your PC and run the app on the device to clean your PC. Anyone want to make me rich and buy the rights?

Posted by:

09 Jun 2014

Does an encryption software exist that makes it impossible to access a drive without a password? I don't want to encrypt my data, I only want to be able to access my files through a pass word. Encryption is only necessary when sending information through the internet.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- GameOver and Cryptolocker Busted (Posted: 5 Jun 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved