Operation Tovar, which the FBI, Europol, and a substantial coalition of private-sector partners announced on Monday, is the most operationally substantive bot-takedown I have written about since Operation Bot Roast in 2007. The target — GameOver Zeus, a peer-to-peer banking trojan that has been operational since 2011 — and its associated CryptoLocker ransomware operation have been responsible for, on the FBI's estimate, approximately $100 million in damages and approximately five hundred thousand to one million infected hosts globally. The takedown coordinates court-ordered seizure of command-and-control infrastructure, sinkhole redirection of victim traffic, indictment of the alleged principal operator (Evgeniy Bogachev, a Russian national believed to be in Anapa), and a coordinated decryption-key release that has allowed many CryptoLocker victims to recover their files. The combination is the most ambitious cross-jurisdictional takedown the security-research community has been involved in.
The technical interest is in what the takedown reveals about the CryptoLocker operation specifically. CryptoLocker has been the most operationally successful early-generation ransomware — the model of "encrypt the user's files with a key held by the attacker, demand payment in bitcoin for decryption" was demonstrated at scale by CryptoLocker through 2013 and early 2014, and the family has spawned a substantial follow-on ecosystem (CryptoWall, CryptoDefense, the various other variants). The takedown documents indicate that the GameOver Zeus operators were running CryptoLocker as one of several monetisation streams alongside the standard banking-trojan business of credential theft and wire-fraud-facilitation. CryptoLocker was, in this reading, a portfolio diversification rather than a primary business; the primary business was bank-account-credential theft of the kind that Zeus has been doing since 2007. The CryptoLocker numbers are, as ransomware operations go, substantial — approximately $30 million in Bitcoin payments according to the takedown documents — but smaller than the banking-trojan revenue which is, by inference, what made the operation sustainable.
The peer-to-peer command-and-control architecture is the part that makes the takedown technically interesting. GameOver Zeus uses a peer-to-peer overlay rather than the traditional centralised C2 servers that earlier botnets (the Conficker family excepted) used. The takedown therefore could not just seize a small number of C2 servers; it had to inject sinkhole nodes into the P2P network, redirect routing tables across the bot population, and effectively split the network in a coordinated operation across multiple time zones. The technical detail of how this was done is in the Symantec analysis and in the Crowdstrike account; both are worth reading for the operational specifics. The takedown was, in effect, a hostile fork of the GameOver Zeus P2P network, with the legitimate operators losing control of their own infrastructure to coordinated law-enforcement-and-private-sector action.
The ransomware angle is the part that I have been thinking about for engagement implications. CryptoLocker has been the most direct experience my engagement clients have had of consumer-grade malware — several of the secondment clients have had user incidents through the past eighteen months, and the conversation about backup-and-restore discipline at those clients has been substantively shaped by the CryptoLocker pattern. The free-decryption-key release that the takedown provides is operationally useful for clients who had unrecovered CryptoLocker incidents in the past two years, and I have been working through the decryption-key portal at FireEye/Fox-IT with two of the secondment clients this week. The wider point is that the ransomware category is going to expand regardless of what happens to GameOver Zeus specifically. The economic model — encrypt-the-user's-files-and-demand-bitcoin — has been demonstrated to be operationally viable, and the takedown of one operator does not eliminate the model.
For the Hedgehog SOC, the post-Tovar detection-content additions have been around the GOZ-and-CryptoLocker family signatures and around the broader patterns of ransomware-style behaviour — outbound connections to known C2 infrastructure (now mostly sinkholed but historically informative), file-system encryption patterns that suggest active ransomware, command patterns that match known ransomware variants. The detection content is going into the engagement-team material this week.
The wider international-cooperation point is the part I am most pleased about. The coalition — FBI, Europol, Crowdstrike, Dell SecureWorks, Symantec, Microsoft, F-Secure, McAfee, Trend Micro, and several others, plus the courts in multiple jurisdictions — is the most extensive cross-organisation operation the security-research community has been part of. Whether the legal-and-technical infrastructure that made Tovar possible can be sustained for follow-on operations is the question I will be watching. The structural answer to the bot ecosystem has, for the past decade, been bounded by the ability of the cooperation infrastructure to keep up with the operator infrastructure; Tovar suggests that the cooperation infrastructure has matured. Whether it has matured enough to keep pace with whatever GameOver Zeus's successors look like is the part that remains to be seen.
Bogachev himself is, on the indictment, in Anapa and is not — given the absence of an extradition treaty — likely to face US prosecution. The indictment is therefore symbolic in some respects, but also serves as the legal predicate for the takedown actions that have made the operation possible. The structural lesson is that takedowns can be effective even without prosecutorial outcomes against the principal operators, provided the cooperation infrastructure is in place.
The next post is probably either the continuing Snowden disclosures — there is, at one year on, still substantial material in the pipeline — or whatever surfaces from the long-form piece's continued reactions over June. I have been receiving reasonably substantive correspondence from peer CISOs through the past month that is shaping the follow-up writing.