A tip-off from antivirus firm Avast in spring to France cybersecurity unit has finally paid off and end with the latter group dismantling a server behind the spreading of a Retadup virus. Retadup is a monero crypto-jacking malware that has been active since 2016. Since 2016 the Retadup Virus has infected 850,000 computers across the globe.
Although the server is down at the moment, it’s possible that it can easily be replicated and used to spread the malware again. With Retadup malware, the cybercriminals were infecting computers running windows and managed to infect computers in over 100 different states. Per the press release, it seems the cybercriminals were after users in Central and South America.
How the Virus was Spread
Per the investigations, the cybercriminals used infected USB drives, sent emails with easy money-making schemes, and also sent erotic pictures to their targets. Once their victims clicked on any of the links, their computers got infected, leading to cybercriminals getting control of their computers and proceeded to mine monero. Apart from mining monero, they also ran extortion schemes and also stole data. For the latter, Israel hospitals were the most affected both the hospital and patient’s data were stolen.
Through their command server, the cybercriminals were able to create a botnet of connected computers. However, that’s what the French cyber unit used to dismantle their control tower. Per info from the cyber unit, they were able to track down the control tower to somewhere in Paris.
After that, they made a replica of the control tower rendering the Virus inactive on the infected computers. Through the same dummy server, the cyber unit was able to send a solution that cleaned the infected computers. However, all that couldn’t be possible without the help of the FBI who blocked incoming traffic while redirecting it to their server.
Although the Virus is down, the magnitude of the damage was so dire. According to Jean-Dominique Nollet, C3N chief the botnet could have been used to bring down all civilian websites across the globe. Moreover, their investigation also shows the losses run into millions of euros. With the terror done with at the moment, to make sure all computers are disinfected, the server won’t be taken offline to ensure all computers are cleaned.