The Zloader botnet has been taken down, due to a joint investigation and legal action taken by Microsoft, Health-ISAC, and others. (Photo credit: "Microsoft sign outside building 99" by Robert Scoble is marked with CC BY 2.0.)

The ZLoader botnet has been disrupted, after the U.S. Court for the Northern District of Georgia issued a court order that enabled Microsoft to take control of 65 domains the ZLoader threat actors were using to control, expand and communicate with its botnet.

The legal action was the result of a months-long investigation led by Microsoft’s Digital Crimes Unit in partnership with ESET, Black Lotus Labs, Palo Alto Networks, Health-ISAC and the Financial Services-ISAC.

ZLoader is operated by an organized crime gang that uses malware-as-a-service to steal and extort money. The botnet is comprised of malware-infected devices belonging to global hospitals, schools, businesses and homes.

The hackers used the infected devices for further nefarious activities, including the distribution of more malware, ransomware and banking trojans, which resulted in the theft of millions of dollars from victims. It also contains a domain generation algorithm within the malware, which “creates domains as a ‘fallback’ backup communication channel for the botnet.”

While the initial goal was financial, data and credential theft, “Zloader also included a component that disabled popular security and antivirus software, thereby preventing victims from detecting the ZLoader infection.” The group later offered the infrastructure as a malware-as a-service platform to distribute ransomware, like Ryuk. 

Ryuk notoriously targeted the healthcare sector with ransomware in 2019 and 2020. The actors were behind an onslaught of attacks that sent a dozen providers into downtime procedures for weeks at a time. The Ryuk attack on Universal Health Services in 2020 impacted 400 of its care sites across the U.S. and cost more than $67 million in recovery costs and lost revenue.

With its legal action, the domains are now directed to a Microsoft sinkhole and can no longer be leveraged by the ZLoader operators. The court order also allows Microsoft to take over an additional 319 registered DGA domains. The company is working with domain registry VeriSign to stop additional DGA registrations in the future.

“Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang,” said Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit in the announcement. “As always, we’re ready to take additional legal and technical action to address Zloader and other botnets.”

While it is expected that the threat actors will attempt to restore Zloader’s operations, Microsoft and partners are tracking and monitoring their activities. The groups are also working with ISPs to both identify and remediate victims. 

The investigation into ZLoader also identified one of the perpetrators behind a component used by the botnet to distribute ransomware, Denis Malikov from Simferopol on the Crimean Peninsula. Microsoft made it a point to name the attacker “to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”

The collaborative effort bolsters the Health-ISAC's continued effort to break down silos between private and public sectors and should serve as a reminder of the importance of threat sharing and intelligence-led security.