According to a report by the security company Avast in spring 2019, the cybercrime department “C3N” (Centre de lutte contre les criminalités numériques) of the French national police was able to shut down a cryptomining botnet that now comprises more than 850,000 computers.
The systems infected by retadup have been digging for the crypto currency Monero since at least 2016.
Retadup Botnet deleted itself
The cyber specialists of the French National Gendarmerie destroyed the network of computers infected with the Monero Crypto Miner after being informed of the botnet’s location by the cyber security software company Avast. Retadup’s backend infrastructure was located in the Paris region.
After accessing Retadup’s backend infrastructure, the officers were able to set up their own command server with the help of the FBI, which was also involved, and redirect the traffic from the botnet to it. Using this infiltrated server, Avast and C3N then requested the worm to delete itself on all infected computers that were online.
While the malware was spread around the world, most of the infected computers were located in Central and Latin America. The country most affected was Peru, followed by Venezuela, according to Avast.
In addition to France, Retadup also had a certain backend infrastructure in the US. Apart from the fact that the Monero crypto currency is secretly broken down on infected computers, Retadup has also stolen passwords and installed ransomware to a lesser extent.
“The cybercriminals behind Retadup had the opportunity to run additional arbitrary malware on hundreds of thousands of computers worldwide,” said Jan Vojtěšek, a malware analyst at Avast who led the research. “Our main goals were to prevent them from running destructive malware on a large scale and to prevent cybercriminals from continuing to abuse infected computers.”
How much XMR has crypto-mining malware “earned”?
According to C3N commander Colonel Jean-Dominique Nollet, the retadup worm managed to mine Monero worth “several million euros a year,” as Europe1 reported. Some of Retadup’s confiscated backend servers had also mined for Monero. While they only mined about 53.72 Monero coins worth about $4,230 at current prices, this is only a tiny fraction of what the entire network generated.
(Monero (XMR) is an open-source cryptocurrency created in April 2014 that focuses on fungibility, privacy and decentralization. Monero uses an obfuscated public ledger, meaning anybody can broadcast or send transactions, but no outside observer can tell the source, amount or destination. Monero uses a Proof of Work mechanism to issue new coins and incentivize miners to secure the network and validate transactions.
The privacy afforded by Monero has attracted use by people interested in evading law enforcement during events such as the WannaCry Ransomware Attack, or on the dark web buying illegal substances. Despite this, Monero is actively encouraged to those seeking financial privacy, since payments and account balances remain entirely hidden, which is not the standard for most cryptocurrencies. – Source: Wikipedia)
According to Avast, the Monero cryptojacker had a preference for multi-core computers due to its higher computing power. Virtually all infected computers were equipped with the Windows operating system. Over 50 percent of computers infected with the Monero cryptojacker were running Windows 7.
The people behind Retadup are said to have earned several million euros with their scam since 2016 – and are still on the run, as the BBC reports.