Microsoft Takes Legal Action to Disrupt ZLoader Botnet

April 14, 2022 - Microsoft’s Digital Crimes Unit (DCU) took legal action to disrupt ZLoader, a criminal botnet with a global presence, Microsoft announced in a blog post.

DCU obtained a court order from the US District Court for the Northern District of Georgia, which permitted them to take control of 65 domains that the ZLoader cybercrime gang has been using to grow and control its botnet.

ZLoader has a domain generation algorithm (DGA) in its malware that allows it to generate new domains as a backup. The 65 domains will now be directed to a Microsoft sinkhole where they will be rendered unusable. The court order also gave Microsoft permission to take control of 319 other currently registered domains and work to block future domain registrations.

ZLoader initially began as a means of financial theft, allowing hackers to steal usernames and passwords to steal money undetected, Microsoft explained. The group later evolved to offer malware as a service and distributed damaging ransomware variants like Ryuk.

Ryuk claimed responsibility for 75 percent of cyberattacks against the US healthcare sector in October 2020, HHS found. Unlike other ransomware groups that claim to abide by an ethical code, Ryuk targeted healthcare organizations with no regard for patient safety.

“During our investigation, we identified one of the perpetrators behind the creation of a component used in the ZLoader botnet to distribute ransomware as Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula,” Microsoft’s blog post continued.

“We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes. Today’s legal action is the result of months of investigation that pre-date the current conflict in the region.”

DCU worked with ESET, Palo Alto Networks Unit 42, Black Lotus Labs, the Financial Services Information Sharing and Analysis Centers (FS-ISAC), and the Health Information Sharing and Analysis Center (H-ISAC) to combat ZLoader.

“Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive Zloader’s operations,” Microsoft concluded.

“We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals. We will work with internet service providers (ISPs) to identify and remediate victims. As always, we’re ready to take additional legal and technical action to address ZLoader and other botnets.”