Microsoft’s Digital Crimes Unit (DCU) disabled the well-known ZLoader cybercrime botnet that was utilized to transmit Ryuk ransomware in attacks on healthcare companies. Microsoft recently acquired a court order from the United States District Court for the Northern District of Georgia approving the seizure of 65 hard-coded domains the ZLoader botnet uses for command-and-control communications. Those websites were now sinkholed, stopping the botnet operator from connecting with devices attacked with ZLoader malware.
ZLoader malware contained a domain generation algorithm (DGA) which is activated when it’s not possible to communicate with the hard-coded domains, which works as a failsafe against any takedown attempts. The court order additionally permitted Microsoft to grab 319 DGA-registered domains. Microsoft is taking steps to prohibit the registration of any more DGA domains.
ZLoader is associated with a family of malware variants that came from the ZeuS banking Trojan. In the beginning, ZeuS was employed for credential and financial theft, with the purpose of getting money from victims’ financial accounts. The threat actor behind the malware then started a malware-as-a-service operation to send malware and ransomware to other threat actors like Ryuk.
Ryuk ransomware was broadly utilized in attacks on the healthcare sector since its appearance in 2018, and ZLoader was one way of delivering the ransomware. ZLoader could disable a well-known antivirus solution to avert detection, and the malware was installed on lots of devices, which are mostly in education and medical care.
The takedown of the botnet is substantial; nevertheless, the botnet operators are probably already working to create new command and control infrastructure. Microsoft stated the seizure was a success and resulted in the short-term disabling of the ZLoader system, which has made it harder for the organized criminal gang to carry on with its malicious activities.
The case has been referred to law enforcement, who are monitoring this activity directly and will carry on and work with our partners to keep track of the conduct of these cybercriminals. Microsoft will work together with internet service providers to determine and remediate victims. Microsoft additionally affirmed that it is ready to take further legal action and employ technical procedures to handle ZLoader and other botnets.
Microsoft furthermore named Denis Malikov, who resides in Simferopol on the Crimean Peninsula, as someone who is considered to be accountable for making a component of the malware that was employed for transmitting ransomware. This suggests that cybercriminals are not allowed to hide behind the anonymity of the internet to commit their criminal offenses.
Microsoft mentioned that the cybersecurity firm ESET, Black Lotus Labs, and Palo Alto Networks’ Unit 42 team assisted with its investigation of the ZLoader operation. The Health Information Sharing and Analysis Center (H-ISAC), the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team also provided additional insights.