Skip to main content
close search
site logo
Dive Brief

Microsoft intercepts Zloader botnet, a distributor for Ryuk ransomware

Ryuk was behind major attacks on healthcare, while the botnet focused on credentials and financial theft.

Published April 14, 2022
David Jones's headshot
Reporter
Money moving through cyberspace.
Viorika via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Microsoft intercepted a criminal botnet called Zloader, which operates a global malware-as-a-service operation that hijacks computers for theft and extortion, including the distribution of Ryuk ransomware, which often targets healthcare organizations, said Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit, in a blog post
  • Microsoft got a court order through the U.S. District Court for the Northern District of Georgia to take control of 65 domains used to control the botnet and redirect them into a sinkhole.
  • Microsoft said it partnered with several major cybersecurity providers to take down the botnet, including ESET, Palo Alto Networks Unit 42 and Lumen’s Black Lotus Labs.

Dive Insight:

Microsoft said Zloader was originally used for financial theft operations, stealing online IDs, passwords and other information that could be used to take funds from victim accounts. Zloader was also used to disable anti-virus software, making it more difficult for victims to detect the botnet. 

The operation itself targeted three specific botnets, each one used for a different version of Zloader malware, according to researchers at ESET.

Each botnet was “operated by independent affiliates who managed and monetized their botnet independently, for example by stealing financial information or deploying ransomware,” Alexis Dorais-Joncas, security intelligence team lead at ESET told Cybersecurity Dive via email.

Microsoft named Denis Malikov, based in Simferopol on the Crimean Peninsula, as one of the people connected with the operation, as part of its legal filing. Microsoft said it has been investigating the operation for months, well before Russia's invasion in Ukraine. 

The company said Zloader has a domain generation algorithm embedded in the malware, which allows for the generation of additional domains as backup communication channels. The court order allowed Microsoft to take control of another 319 registered domains, and the company will also block future domain registration attempts. 

The operation represents the second disruption of a criminal operation by Microsoft this month. Microsoft last week said it blocked threat activity by Strontium, a state-backed operation from Russia that was launching attacks against U.S. and European government agencies and foreign policy think tanks, to steal information related to the Ukraine invasion. 

Microsoft said the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and Health Information Sharing and Analysis Center (H-ISAC) also shared data used in the case. Avast also provided support

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Threats
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell