267,000 computers infected over a period of five months

Jan 29, 2014 12:28 GMT  ·  By

Security researchers from Bitdefender have been working with the Romanian National Police on analyzing some servers used by cybercriminals for police ransomware, more precisely the ICEPOL Trojan. The servers were located in Bucharest, Romania, and they were seized by authorities last year.

The servers in Romania were just a part of a malware distribution system comprised of tens of such machines. The unit located in Romania communicated with servers in the Netherlands before being shut down.

Bitdefender and the police analyzed the ransomware servers between May 1 and September 26, 2013. During this period, log files showed over 267,000 successful infections, most of which in the US (42,400), Germany (31,700) and Italy (24,800).

It’s worth noting that after the Romanian servers were shut down, the command and control unit was moved to Germany.

“The results of the investigation of the ICEPOL Ransomware are based on the cooperation with several law enforcement agencies and third party vendors,” stated the head of the Service for Countering Cyber Criminality within the Romanian National Police.

“Although complex, we had very good results so far and we will continue fighting cybercrime even though the lack of jurisdiction when involving other areas sometimes slows things down.”

As far as profit goes, the log files from the seized computers have shown that over 158,000 (presumably US dollars) were made from victims in the United States during the period in which Bitdefender monitored the servers.

“The criminal underworld seems to have developed malware distribution networks (MDNs), which work much in the same way as legitimate CDNs, even down to the money-making referral and syndication schemes,” commented Catalin Cosoi, chief security strategist at Bitdefender.

In addition to the ransomware component, the servers shut down by authorities also hosted a pay-per-click module that redirected victims from adult websites to advertisers or other malware distribution sites.