The U.S. Justice Department today announced a multinational operation involving arrests and searches in four countries to dismantle a complex and sophisticated network of computer servers known as "Avalanche."
The Avalanche network allegedly hosted more than two dozen of the world's most pernicious types of malicious software and several money laundering campaigns.
The network offered cybercriminals a secure infrastructure, designed to thwart detection by law enforcement and cyber security experts, over which the criminals conducted malware campaigns as well as money laundering schemes known as "money mule" schemes. Online banking passwords and other sensitive information stolen from victims' malware-infected computers was redirected through the intricate network of Avalanche servers and ultimately to backend servers controlled by the cybercriminals. Access to the Avalanche network was offered to the cybercriminals through postings on exclusive, underground online criminal forums.
The operation also involved an unprecedented effort to seize, block and sinkhole - meaning, redirect traffic from infected victim computers to servers controlled by law enforcement instead of the servers controlled by cybercriminals - more than 800,000 malicious domains associated with the Avalanche network. Such domains are needed to funnel information, such as sensitive banking credentials, from the victims' malware-infected computers, through the layers of Avalanche servers and ultimately back to the cybercriminals. This was accomplished, in part, through a temporary restraining order obtained by the United States in the Western District of Pennsylvania.
The types of malware and money mule schemes operating over the Avalanche network varied. Ransomware such as Nymain, for example, encrypted victims' computer files until the victim paid a ransom (typically in a form of electronic currency) to the cybercriminal. Other malware, such as GozNym, was designed to steal victims' sensitive banking credentials and use those credentials to initiate fraudulent wire transfers. The money mule schemes operating over Avalanche involved highly organized networks of "mules" who purchased goods with stolen funds, enabling cybercriminals to launder the money they acquired through the malware attacks or other illegal means.
The Avalanche network, which has been operating since at least 2010, was estimated to serve clients operating as many as 500,000 infected computers worldwide on a daily basis. The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network.
A Pennsylvania prosecutor's office and two businesses were among hundreds of thousands of victims of the Avaialce network.
Allegheny County District Attorney Stephen Zappala Jr. said his office was the unnamed "state governmental entity in Allegheny County" that was among the victims of the Avalanche network.
The feds say the office paid nearly $1,400 in a bitcoin ransom to free up its infected computer network in January 2015.
The Justice Department added that the network infected at least 500,000 computers worldwide, including those of unnamed businesses in Carnegie and New Castle, which had their banking information hacked but didn't lose any money.
Individuals who believe that they may have been victims of malware operating over the Avalanche network may use the following webpage created by US-CERT for assistance in removing the malware: www.us-cert.gov/avalanche.