Threat Management, Incident Response, Malware, Ransomware, TDR

After takedown, are Avalanche and its malware families buried?


Global authorities' takedown of Avalanche, a cybercriminal network whose malware and money laundering campaigns are estimated to have cost victims in over 180 countries hundreds of millions of dollars, was an achievement four years in the making – and yet the saga is far from over.

International law enforcement agencies and cybersecurity experts will now monitor the criminal underground to determine just how much this takedown effectively crushed Avalanche and to what extent it curtailed the spread of the 20 malware families allegedly propagated by the group's giant bot network.

At first glance, it certainly appears that the operation significantly crippled the Avalanche network's capabilities. Wednesday's surprise operation seized, sinkholed or blocked 800,000 malicious domains and took offline as many as 221 offending servers. Moreover, at least one of the five individuals taken into custody during the sting is reportedly a kingpin.

"We have arrested the top, the head of the snake," said Fernando Ruiz, the head of operations at Europol's Cybercrime Center, in an interview with the Associated Press. "We are sure that this will have a very huge impact." Just how huge, however, remains to be seen.

Aaron Shelmire, principal threat researcher at cyber threat intelligence firm Anomali, said that domain takedown operations can sometimes – in counterintuitive fashion – trigger an uptick in malicious activity from a criminal outfit if the bad actors themselves aren't neutralized. But in this case, he expects to see an overall measureable drop in spam and malware attacks within the next day or two. “[By] going after and arresting those people, you'll see a real decrease in activity,” said Shelmire in an interview with SC Media. “It makes the impact real: rather than just computers getting taken down, people are going to jail.”

Jon DiMaggio, senior threat intelligence analyst with Symantec, took a wait-and-see approach in comments emailed to SC Media, noting that it was too early to judge the takedown's impact on the various malware families.

Regardless of the outcome, “The infrastructure itself and management behind it is the more significant element of the investigation as opposed to the malware that was traversing it,” added DiMaggio, noting that Avalanche operators who survived the operation unscathed will face mounting costs and distribution challenges because they “now need to begin planning new infection vectors and obtain new infrastructure to support their operations.”

Symantec was among the cybersecurity companies that actively participated in the investigation, which involved the Luneburg Police and Verden Public Prosecutor's Office in Germany, Europol, Eurojust, the FBI, the Department of Justice and the U.S. Attorney's Office. It was Symantec that in 2012 noticed that a ransomware it was analyzing – Ransomlock – shared the same geographic distribution patterns and command-and-control infrastructure as Bebloh (or URLZone), a banking malware that German authorities were closely studying.

This connection between the two malware grew into an investigation that ultimately uncovered Avalanche. According to Internet security software company Bitdefenderwhich helped in the post-takedown malware disinfection process, the massive cybercriminal operation distributed such well-known malware families as Cerber, DridexGozNym, Marcher and TeslaCrypt.

Chris Pogue, CISO at Nuix, told SC Media in an interview that the takedown should result in “some kind of drop” in total global malware activity. However, amongst “a handful of arrests, thousands and thousands of cybercriminals go un-arrested every year." And so ultimately, "I don't think we're going to see a very noticeable difference.”

As for what's left of Avalanche, “I think you'll see some form of... regrouping and getting ready for the next stage of their activities,” he added.

In comments emailed to SC Media, Nathan Wenzler, principal security architect at security consulting firm AsTech Consulting, sounded more pessimistic about Avalanche being down and out for long.

“Dismantling the Avalanche network will certainly show some short-term gains by reducing the overall number of phishing emails, malware and ransomware attacks across the globe, but I believe these cybercriminals will be back up and running in short order, if they're not already,” Wenzler wrote. “It's critical that we continue to make these kinds of efforts to shut down malicious networks like Avalanche. however, it's imperative that law enforcement can do so in a [timelier] manner...” he added.

But if efforts to take down operations such as Avalanche only provide temporarily relief until the next operation takes its place, then why wage a losing battle? 

"It's easy to say that bad guys are going to be replaced by new bad guys, and malware is just going to be replaced by malware, but that's been the same since Cain hit Abel in the head with a rock," said Pogue, who recommends stronger punitive penalties across the globe to deter would-be cybercriminals. 

The seemingly endless cycle of cybercrime won't stop law enforcement officers and cyber defense experts from performing their duties, he insisted. "Criminals are going to be around as long as there's something to go steal... If that's futile or appears to be futile, that's okay, because that's how folks like us are wired."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.