Federal investigators across the United States, Europe and the UK have successfully executed a concerted takedown against malicious cybercrime platform "Avalanche," responsible for countless malware and phishing attacks.
The Public Prosecutor's Office Verden together with the Lüneburg Police in Germany, in close cooperation with the U.S. Attorney's Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust and other global partners have successfully taken down Avalanche after more than four years of investigations.
Avalanche was a network used to launch global malware attacks and money mule recruiting campaigns. In Germany alone, the Avalanche platform has amounted to €6 million in damages, or about $6.4 million from cyberattacks on online banking systems.
The cloud-hosting network, for the past seven years, has been rented to fraudulent criminals to launch a surfeit of malware and phishing attacks. It has been estimated that Avalanche affected as many as 500,000 computers on a daily basis.
According to Europol, damages incurred by Avalanche's malware attacks could be in the hundredth million range, but malware families managed via the platform make it difficult to accurately tally the losses.
How They Took Avalanche Down
Prosecutors and investigators across 30 countries were crucial in finally dismantling Avalanche.
In its headquarters in The Hague in the Netherlands, Europol hosted a command post. There, country representatives collaborated with Europol's European Cybercrime Centre and Eurojust officials to achieve an operation of such scale.
Europol and German authorities worked together during the investigation's run. Each provided the other with relevant information such as identification of suspects, among others. Additionally, cybercrime experts in Europol's turf produced and delivered analytical products.
In 2012 after an encryption ransomware affected a number of computers, which in turn deterred user access, the investigation for Avalanche began.
Investigators learned that millions of personal and business computers had been compromised, with the malware giving criminals a free conduit to harvest bank and email passwords on affected systems. From this, hackers were able to administer bank transfers from the accounts of affected users.
The stolen money was then rerouted to the perpetrators by virtue of a "double fast flux" system, which ensured that the transactions came through.
"Cybercriminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users' bank details and other personal data," the UK's National Crime Agency said in a statement.
The German Federal Office for Information Security and Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie dug through more than 130 TB of data captured during the investigation. The rigorous data combing resulted in the identification of the botnet's server structure, which paved the way to the shutdown of thousands of servers and the subsequent collapse of Avalanche.
Arrest And Seizure
The action against Avalanche on Wednesday, Nov. 30 resulted in the arrest of five individuals, the search of 37 premises and the seizure of 39 servers. Additionally, more than 800,000 domains were seized to bar criminals access to their clients.
Now that the platform has been deprived of its elixir, the next logical step is to ensure for infected entities and individuals to check if their computers have malware launched via Avalanche.
"Companies and consumers should take this opportunity to scan their systems for the different families of malware that the Avalanche botnet distributed," said Stephen Cobb, senior security researcher for ESET, a security company in Slovakia.
At the time of Avalanche's collapse, it had launched cybercrimes across 180 countries. One of Avalanche's main clients were crime gangs that cleaned out bank accounts of businesses both small and large.