French ‘cybercops’ dismantle pirate computer network
A team of French police dubbed “cybergendarmes” has destroyed a virus that infected more than 850,000 computers worldwide, authorities say.
The network of infected computers, known as a botnet, was controlled from France and is thought to have made millions of euros from fraud.
After a tip-off, the French team located and dismantled the pirate server in the Paris region.
Then they succeeded in disinfecting the computers around the globe.
What damage was done?
France’s C3N digital crime-fighting centre was alerted in the spring by anti-virus company Avast to the possible existence of a private server that had apparently sent a virus called Retadup to hundreds of thousands of Windows-operating computers, in over 100 countries but mainly in Central and South America.
The virus was sent via an email offering easy money or erotic pictures and through infected USB drives, officials explained.
Hackers had then been able to use the virus to control the computers remotely without owners realising, to create the cryptocurrency Monero, extort money through “ransomware” and even steal data from hospitals in Israel as well as Israeli patients.
The operators behind the botnet are thought to have made millions of euros since they set it up in 2016 and are still on the run.
How was it dismantled?
“We managed to track down where the command server was, the control tower for the “botnet” network of infected computers,” C3N chief Jean-Dominique Nollet told France Inter radio.
Then, he says, they made a replica server that rendered the virus inactive on the infected computers. Viruses are usually redirected to dead areas of the internet rather than being disabled.
The FBI in the US also helped as the French needed them to block traffic and direct it towards their replica server.
“People may not realise it but 850,000 infected computers means massive firepower, enough to bring down all the (civilian) websites on the planet,” he said. Even well-protected institutions were at risk of being paralysed.
Mr Nollet said they would continue to let the server run so that any infected computers that had not been online for the past few weeks could still be disinfected.