Incident Response, Security Strategy, Plan, Budget, Leadership, Malware, Threat Management

Pulling back the curtain on the ZLoader takedown, and the power of security, nonprofit threat sharing

Treatment preparation takes place in the intensive care unit at a hospital on May 1, 2020 in Leonardtown, Maryland. (Photo by Win McNamee/Getty Images)

What happens when security and tech giants partner with industry nonprofits? Successful disruptions of criminal gangs, like ZLoader, in hopes of deterring further nefarious activities. But greater support and threat sharing will prove pivotal in making a bigger global impact. 

Last week Microsoft, ESET, Black Lotus Labs, Palo Alto Networks, Health-ISAC and the Financial Services-ISAC, took control over the notorious ZLoader botnet, after an injunction issued by the U.S. Court for the Northern District of Georgia.

The judge signed off on the order on April 6, “all filed under seal because the element of surprise is what’s needed to successfully take down the botnet,” Health-ISAC’s Chief Security Officer Errol Weiss told SC Media in an exclusive interview about the events.

The botnet’s servers are now directed to a Microsoft domain, which means the hackers “can no longer issue botnet commands to any of the computers currently victimized by ZLoader,” Weiss added. And as an added effort, Microsoft has put out ads all over, asking those who “have a legitimate claim to these domains to come forward.”

For the healthcare sector, the effort was crucial given the wave of destruction left by the Ryuk malware associated with the ZLoader botnet. 

Malware disruption

In total, Ryuk impacted more than 200 hospitals and patient care facilities, causing more than $100 million in revenue loss and $500 million in ransomware payments, digital forensic services, security improvements, and upgrades needed after these healthcare entities fell victim.

Those stats don’t include the impact to patient care, care diversions, canceled services, weeks of electronic health record downtime, and hundreds of thousands of pages of patient data records, disclosed as a result of the Ryuk attacks. Weiss provided those key stats to Microsoft and the court, which were crucial in securing the ZLoader takedown.

The hope is that this will “permanently end the ability for ZLoader to deliver malware” as part of its threat package, Weiss explained. It’s too soon to see, but the invested parties are assessing the forensics of the ongoing botnet activity. 

“The good news is that at least these bot-infected computers will not be able to take any more instructions from the botnet,” said Weiss. “I’ve been involved with prior Microsoft actions where they were able to do something to start to clean those computers… But I don’t know the future fate of those infected computers and whether they’ll ever get cleaned.”

Typically, the operations wind down, which means “ZLoader will probably be ineffective any day now,” said Weiss. “But the reality of the situation is that the bad guys are basically going to pick up the pieces and create something new. And they'll be off and running.” 

“But the whole idea here is to increase costs for them,” he added. In this specific case, Microsoft actually listed a specific defendant as part of the court filing, where normally only “John Doe” would be named. In this way, pressure will be applied to the defendant to turn themselves in to law enforcement, and/or provide information on the criminal operation.

At the end of the day, these types of efforts are meant as a deterrent. As it stands, criminal gangs operate with impunity, “because there's no chance of getting caught,” said Weiss. “Maybe now we can show that you can't get away with it.”

Building on 10 years of lessons in finance

The collaboration actually began 10 years ago when Weiss, who was still tackling security in the financial sector, met up with like-minded peers through the FS-ISAC. The goal then was to get the banks together on a regular basis to discuss the burning issues of the day, in terms of threats, risks, and related security concerns.

At the time, the news of the day was that VeriSign had been asked to stop a botnet from sending out spam emails. It got the attention of these leaders, including Weiss, who, through their working relationships, were able to meet with VeriSign and Microsoft leaders to discuss their strategy.

The company’s leaders spoke to the financial leaders about this program, requesting a possible partnership with the banks to join in the effort as co-plaintiffs. At the time, “banks were getting hammered on account takeover,” primarily through malware, such as Zeus, he explained.

As a result of those initial discussions, Weiss worked through the FS-ISAC to bring on a couple of other banks to join the effort. The partnership enabled threat and data sharing between the victims and the dollar losses financial entities were seeing at the time. It provided an aggregated report on what the financial sector was facing as a “co-plaintiff.”

“They created a legal and technical strategy, combined, to use civil lawsuits filed against criminal gangs, botnet operators,” said Weiss. “They’d use the civil lawsuits, racketeering laws, and copyright law to show that those botnets were causing immediate harm to their customers.”

Essentially, Microsoft requested the court grant them ownership of the infrastructure being used by the bot. This process has been used by the company dozens of times, he explained. “From a legal standpoint, they're usually granted a temporary restraining order.”

In one instance, Microsoft filed a lawsuit in the U.S. Eastern District of Virginia in July 2020 to end a massive COVID-19-themed phishing campaign targeting business leaders in 62 countries. The court agreed to issue a civil court order and a temporary restraining order, enabling the tech giant to take over control of the key internet domains used in the criminal infrastructure.

“In cases where criminals suddenly and massively scale their activity and move quickly to adapt their techniques to evade Microsoft’s built-in defensive mechanisms, additional measures such as the legal action filed in this case are necessary,” Microsoft researchers wrote, at the time.

This same process was used in the ZLoader takedown, with additional support from the Health-ISAC, where Weiss now leads.

“You can imagine all of the politics and socialization that had to happen in the background to make this happen,” said Weiss. “But it comes down to awareness and people being connected.” The hope is to continue to collaborate in similar efforts across the sector and with other security leaders, but those leaders must be willing to make those connections.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.