In a separate action, U.S. and foreign law enforcement officials worked together to seize computer servers central to the malicious software known as Cryptolocker, a form of "ransomware" that encrypts the files on victims' computers until they pay a ransom.
Victims of Gameover Zeus may use the following website created by DHS's Computer Emergency Readiness Team (US-CERT) for assistance in removing the malware: https://www.us-cert.gov/gameoverzeus .
"This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data," said Deputy Attorney General Cole. "We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world."
"Gameover Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt," said FBI Executive Assistant Director Anderson.
A federal grand jury in Pittsburgh unsealed a 14-count indictment against Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation, charging him with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as an administrator of the Gameover Zeus botnet. Bogachev was also charged by criminal complaint in Omaha with conspiracy to commit bank fraud related to his alleged involvement in the operation of a prior variant of Zeus malware known as "Jabber Zeus."
In a separate civil injunction application filed by the United States in federal court in Pittsburgh, Bogachev is identified as a leader of a tightly knit gang of cyber criminals based in Russia and Ukraine that is responsible for the development and operation of both the Gameover Zeus and Cryptolocker schemes. An investigation led in Washington, D.C., identified the Gameover Zeus network as a common distribution mechanism for Cryptolocker. Unsolicited emails containing an infected file purporting to be a voicemail or shipping confirmation are also widely used to distribute Cryptolocker. When opened, those attachments infect victims? computers. Bogachev is alleged in the civil filing to be an administrator of both Gameover Zeus and Cryptolocker. The criminal complaint filed in Omaha alleges that Bogachev also used "Lucky12345," a well-known online moniker previously the subject of criminal charges in September 2012 that were unsealed in Omaha on April 11, 2014.
Gameover Zeus, also known as "Peer-to-Peer Zeus," is an extremely sophisticated type of malware designed to steal banking and other credentials from the computers it infects. Unknown to their rightful owners, the infected computers also secretly become part of a global network of compromised computers known as a "botnet," a powerful online tool that cyber criminals can use for numerous criminal purposes besides stealing confidential information from the infected machines themselves. Gameover Zeus, which first emerged around September 2011, is the latest version of Zeus malware that began appearing at least as early as 2007. Gameover Zeus's decentralized, peer-to-peer structure differentiates it from earlier Zeus variants. Security researchers estimate that between 500,000 and 1 million computers worldwide are infected with Gameover Zeus, and that approximately 25 percent of the infected computers are located in the United States. The principal purpose of the botnet is to capture banking credentials from infected computers. Those credentials are then used to initiate or re-direct wire transfers to accounts overseas that are controlled by cyber criminals. The FBI estimates that Gameover Zeus is responsible for more than $100 million in losses.
The Gameover Zeus botnet operates silently on victim computers by directing those computers to reach out to receive commands from other computers in the botnet and to funnel stolen banking credentials back to the criminals who control the botnet. For this reason, in addition to the criminal charges announced today, the United States obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers established pursuant to court order. The order authorizes the FBI to obtain the Internet Protocol addresses of the victim computers reaching out to the substitute servers and to provide that information to US-CERT to distribute to other countries' CERTS and private industry to assist victims in removing the Gameover Zeus malware from their computers.
Technical assistance was provided by Dell SecureWorks and CrowdStrike. Numerous other companies also provided assistance, including facilitating efforts by victims to remediate the damage to their computers inflicted by Gameover Zeus. These companies include Microsoft Corporation, Abuse.ch, Afilias, F-Secure, Level 3 Communications, McAfee, Neustar, Shadowserver, Anubis Networks, Symantec, Heimdal Security, Sophos and Trend Micro.
In addition to the disruption operation against Gameover Zeus, the Justice Department led a separate multi-national action to disrupt the malware known as Cryptolocker, which began appearing about September 2013 and is also a highly sophisticated malware that uses cryptographic key pairs to encrypt the computer files of its victims. Victims are forced to pay hundreds of dollars and often as much as $700 or more to receive the key necessary to unlock their files. If the victim does not pay the ransom, it is impossible to recover their files.
Security researchers estimate that, as of April 2014, Cryptolocker had infected more than 234,000 computers, with approximately half of those in the United States. One estimate indicates that more than $27 million in ransom payments were made in just the first two months since Cryptolocker emerged.