Account Takeover Fraud , Critical Infrastructure Security , Cybercrime

Microsoft Disrupts ZLoader Botnet in Global Operation

Tech Firm Seizes 65 Domains Used by ZLoader Operators
Microsoft Disrupts ZLoader Botnet in Global Operation
ZLoader installed Ryuk ransomware in over 200 attacks on healthcare facilities. (Source: ISMG)

Microsoft says it has seized control of 65 domains that the ZLoader gang has been using to grow, control and communicate with its botnet. ZLoader, a descendant of the ubiquitous Zeus banking malware, is run by a global, internet-based, organized crime gang operating malware as a service that is designed to steal and extort money, Microsoft says.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Amy Hogan-Burney, general manager at Digital Crimes Unit for Microsoft, in a blog post, says, "We obtained a court order from the United States District Court for the Northern District of Georgia allowing us to take control of 65 domains that the ZLoader gang has been using to grow, control and communicate with its botnet. The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet's criminal operators."

According to Microsoft, ZLoader contains a domain generation algorithm embedded within the malware that creates additional domains as a backup communication channel for the botnet.

"In addition to the hard-coded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains," Burney says.

In a similar incident last week, Microsoft seized control of seven domains that belonged to Russian GRU-linked, state-sponsored threat group Strontium. The group, also known as APT28 and Fancy Bear, used the domains to target Ukrainian institutions, such as its media organizations, and also had U.S. and European Union government entities and decision-makers on its radar (see: Microsoft Seizes Russian Domains Targeting Ukraine).

Operation Details

During the latest investigation, Microsoft’s researchers identified Denis Malikov, who lives in the city of Simferopol on Ukraine's Russian-occupied Crimean Peninsula, as one of the perpetrators behind the creation of a component used in the ZLoader botnet to distribute ransomware.

"We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes. Today's legal action is the result of months of investigation that pre-date the current conflict in the region," Microsoft says.

The investigation was led by the DCU in partnership with ESET, Black Lotus Labs - the threat intelligence arm of Lumen - and Palo Alto Networks' Unit 42. Additional data and insights to strengthen the legal case were provided by the Financial Services Information Sharing and Analysis Center and the Health Information Sharing and Analysis Center or H-ISAC, in addition to Microsoft Threat Intelligence Center and Microsoft Defender team. Cybersecurity firm Avast also supported Microsoft's DCU field in Europe, it says.

"The primary goal of ZLoader was financial theft, stealing account login IDs, passwords and other information to take money from people's accounts," Burney says. "ZLoader also included a component that disabled popular security and antivirus software, thereby preventing victims from detecting the ZLoader infection."

Microsoft adds that the ZLoader began offering malware as a service to distribute ransomware including Ryuk, which is well known for targeting health care institutions to extort payment without regard to the patients that they put at risk.

Impact on Healthcare

Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, which worked with Microsoft and others in the ZLoader investigation, tells ISMG that the takedown is a significant development for the healthcare sector.

"ZLoader is responsible for installing ransomware, such as Ryuk, on a victim's computer. Ryuk has been linked to more than 200 ransomware attacks impacting hospitals, public health departments, nursing homes and patient care facilities around the world since 2018," he says.

The attacks resulted in the temporary or permanent loss of IT systems that support many of the healthcare provider delivery functions in hospitals, resulting in operational impacts including canceled surgeries and delayed medical care, he says.

Based on information H-ISAC obtained through interviews with hospital staff, public statements, and media reports, Weiss says hospitals reported revenue losses of nearly $100 million due to Ryuk infections. "The Ryuk attacks also caused an estimated $500 million in costs to respond to the attacks - costs that include ransomware payments, digital forensic services, security improvements and upgrading impacted systems," he says.

Ryuk victims, including hospitals, nursing homes and public health systems, were forced to abandon IT systems commonly used to manage health provider services, he says. As a result of these attacks, hospital staff often have to rely on manual systems, creating challenges for younger staff who had never used paper-based systems in their careers, ultimately causing delays in the delivery of patient care services, Weiss says.

Reported effects of these incidents include delays in emergency patient care, cancer treatments, cancellation of elective procedures, delays in lab reporting, delays in scheduling patient appointments, inability to access electronic health record management systems and exposure of sensitive patient information affecting hundreds of thousands of people, he says.

Tracking ZLoader Activities

Microsoft says its operation aims to disable ZLoader's infrastructure and make it more difficult for this organized criminal gang to continue its activities. But the researchers expect the threat actors to make efforts to revive ZLoader's operations.

"We referred this case to law enforcement, who are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals. We will work with internet service providers to identify and remediate victims," Microsoft says.

Microsoft also says that it is ready to take additional legal and technical action to address ZLoader and other botnets.

"The bottom line is we need to see all organizations properly invested in cybersecurity," Weiss says. "We encourage organizations to stay up to date on patching, use multifactor authentication and educate staff about phishing and staying secure online and backup systems regularly."

Health-ISAC will continue to work closely with Microsoft on the ZLoader disruption project and will monitor how effective the efforts were against the botnet, Weiss adds. "We'll continue to partner with Microsoft's Digital Crimes Unit in future disruption operations to help protect the global health sector."

ISMG Executive Editor Marianne Kolbasuk McGee contributed to this story.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.