Operation Tovar

Operation Tovar was an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which was believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.^[1]

Operation Tovar
Operation name	Operation Tovar
Roster
Executed by	U.S. Department of Justice, U.S. Federal Bureau of Investigation, U.K. National Crime Agency
Countries participating	United States, United Kingdom, South African Police Service, Australia, Netherlands, Germany, Luxembourg, Ukraine, Canada, New Zealand, Japan, Italy, and France
No. of countries participating	13
Mission
Target	Gameover ZeuS botnet
Method	undisclosed
Timeline
Date begin	Before June 2014
Results
Arrests	2+

In early June 2014, the U.S. Department of Justice announced that Operation Tovar had temporarily succeeded in cutting communication between Gameover ZeuS and its command-and-control servers.^[1][2][3]

The criminals attempted to send a copy of their database to a safe location, but it was intercepted by agencies already in control of part of the network.

Results

Russian Evgeniy Bogachev, aka "lucky12345" and "Slavik", was charged by the US FBI for being the ringleader of the gang behind Gameover Zeus and Cryptolocker. The database indicates the scale of the attack, and it makes decryption of CryptoLocked files possible.

Restitution and victims

In August 2014 security firms involved in the shutdown, Fox-IT and FireEye, created a portal, called Decrypt Cryptolocker, which allows any of the 500,000 victims to find the key to unlock their files. Victims need to submit an encrypted file without sensitive information, which allows the unlockers to deduce which encryption key was used. It is possible that not all CryptoLocked files can be decrypted, nor files encrypted by different ransomware.^[4][5][6]

Analysis of data that became available after the network was taken down indicated that about 1.3% of those infected had paid the ransom; many had been able to recover files that had been backed up, and others are believed to have lost huge amounts of data. Nonetheless, the gang was believed to have extorted about US$300m.^[4]

Participating law enforcement agencies

• Europol
• European Cybercrime Centre (EC3);
• United States
  • Department of Justice (DOJ)
  • Federal Bureau of Investigation (FBI)
  • Defense Criminal Investigative Service of the U.S. Department of Defense^[3] (DOD)
• United Kingdom - U.K. National Crime Agency (NCA)
• South Africa - South African Police Service.
• Australia - Australian Federal Police (AFP)
• Netherlands -
  • Dutch National Police
  • National Criminal Investigation Service
• Germany - Bundeskriminalamt (BKA)
• France - Police Judiciaire
• Italy - Polizia Postale e delle Comunicazioni
• Japan - National Police Agency
• Luxembourg - Police Grand Ducale
• New Zealand - New Zealand Police
• Canada - Royal Canadian Mounted Police
• Ukraine
  • Ministry of Internal Affairs
  • Division for Combating Cyber Crime.

Law enforcement worked together with a number of security companies and academic researchers,^[2][7] including Dell SecureWorks, Deloitte Cyber Risk Services, Microsoft Corporation, Abuse.ch, Afilias, F-Secure, Level 3 Communications, McAfee, Neustar, Shadowserver, Anubisnetworks, Symantec, Heimdal Security, Sophos and Trend Micro, and academic researchers from Carnegie Mellon University, the Georgia Institute of Technology,^[3] VU University Amsterdam and Saarland University.^[2]

See also

• Cutwail botnet
• Conficker
• Command and control (malware)
• Gameover ZeuS
• Timeline of computer viruses and worms
• Tiny Banker Trojan
• Torpig
• Zeus (malware)
• Zombie (computer science)