Law enforcement agencies and Internet companies from across the globe have worked together to take down one of the largest cyber-crime networks ever discovered in the past decade.

Their efforts resulted in the arrest of five suspects, searchers at 37 locations, the seizure of 37 servers, and the takedown of 221 other servers.

According to statements from Europol and the US Department of Justice, the suspects had been using this infrastructure for a global cyber-crime network that was responsible for spreading and hosting over 20 different malware families, ranging from ransomware to banking trojans.

Avalanche infrastructure rented by multiple malware operators

This network, which authorities have nicknamed "Avalanche," was renting access to its infrastructure to malware authors, who used its resources to send spam, host & spread their malware, host command-and-control (C&C) servers, but also coordinate the hiring of money mules to launder stolen funds.

Investigators in over 30 countries contributed to the takedown of the Avalanche network. Law enforcement and investigative agencies included Europol, Eurojust, Interpol, the FBI, the US DoJ, the UK NCA, and many national crime fighting agencies.

Internet organizations and technology companies such as ICANN, Symantec, the Shadowserver Foundation, Registrar of Last Resort, and others, also contributed.

Law enforcement sinkholed over 800,000 domains

Authorities said they seized, sinkholed, or blocked over 800,000 domains spread over 60 registrars, used for various malware botnets. The large number of domains was because most of the botnets used a technique known as double fast flux DNS, which goes through a large number of domains per day to hide the location of the botnet's C&C server.

These botnets are often referred to as P2P botnets, because they have a peer-to-peer like operation, not necessarily because they use P2P protocols.

According to US CERT, the Avalanche network was used to host the following malware families:

  • Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ransomlock.P)
  • URLzone (aka Bebloh)
  • Citadel
  • VM-ZeuS (aka KINS)
  • Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
  • newGOZ (aka GameOverZeuS)
  • Tinba (aka TinyBanker)
  • Nymaim/GozNym
  • Vawtrak (aka Neverquest)
  • Marcher
  • Pandabanker
  • Ranbyus
  • Smart App
  • TeslaCrypt
  • Trusteer App
  • Xswkit

Avalanche also rented access to its fast flux botnet communications infrastructure to the following malware families:

  • TeslaCrypt
  • Nymaim
  • Corebot
  • GetTiny
  • Matsnu
  • Rovnix
  • Urlzone
  • QakBot (aka Qbot, PinkSlip Bot)

Investigation began in 2012 because of ransomware that mimicked police fines

According to Symantec, the investigation into the Avalanche network started in early 2012 after malware authors had crafted and spread a ransomware that used fake police warnings to lock users' files and demand ransom payments.

The ransomware's name was Ransomlock.P, and appeared a few months earlier, in late 2011. German police officially started the investigation into Avalanche because the ransomware used its name in a crime, albeit they didn't know at the time what they would end up discovering.

Avalanche leaders arrested

Fernando Ruiz, the head of operations at Europol's Cybercrime Center, told The Associated Press that they've arrested the Avalanche network's leaders. German prosecutors also said that some low-level members might have gotten away.

German authorities said the crooks managed to steal over €6 million ($6.4 million) just from German banks alone. Europol estimated that crooks who used the Avalanche network might have stolen hundreds of millions of euros worldwide.

Besides banking fraud and spam, authorities said the Avalanche network was also used to host malware that launched DDoS attacks. Europol also estimates that the Avalanche botnets sent a total of one million spam messages per week.

Over 500,000 users still infected with malware

Investigators believe crooks set up the Avalanche network in 2009, and that over 500,000 users still have computers infected with various types of malware distributed through this crime-as-a-service network. The takedown took place yesterday, November 30, 2016, but was announced one day later, on December 1.

These users should know that while the malware's backend infrastructure was taken offline, the malware is still present on their PCs, and they need to remove it. Botnets have risen from the dead before, and leaving the currently-neutered malware on a PC exposes users to situations when a new cyber-crime group might find a way to hijack infected devices into a new botnet.

Below is an Europol infographic detailing how Avalanche operated.

Avalanche infographic

Avalanche infographic