French police have revealed they took down a signficiant malware campaign that had infected nearly a million machines.
The force teamed up with security firm Avast to tackle the Retadup worm, which had distributed a malicious cryptocurrency miner that would leave victim devices severely handicapped.
According to the Cybercrime Fighting Centre (C3N) of the French National Gendarmarie, 850,000 unique infections were recorded, mainly affecting Windows devices in Latin America.
Avast began monitoring Retadup in March 2019, and, spotting that its operations were running mainly out of France shared its intelligence with the C3N to begin the fightback.
The agency was able to take control of its command and control (C&C) server and replace it with a disinfection system that would respond to incoming bot requests with a specifically tailored response, causing the connected pieces of malware to self-destruct.
The C3N and Avast also flagged that some of the Retadup servers were located in the US, and called in the help of the FBI to take these down to lessen the botnet even further.
Avast found that Retadup was also in some cases delivering the Stop ransomware and Arkei password stealer to victims’ computers. Avast noted that in an ironic twist, the malware authors had also infected themselves with the Neshta fileinfector, showing that even they should have used antivirus protection.
In addition, 85 percent of the botnet’s victims did not have any third-party antivirus protection installed, with the majority of victims using Windows 7, highlighting the importance of keeping systems updated.