Toronto, October 4, 2017 – M3AAWG honored two German law enforcement officials today for their work in developing the global public/private collaboration that shutdown a massive malware offensive infecting computers in 189 countries and costing victims over $6 million in ransomware payments. Lower Saxony Chief Police Inspector Jörn Bisping and Senior Prosecutor Frank Lange received the 2017 M3AAWG J.D. Falk Award from the Messaging, Malware and Mobile Anti-Abuse Working group for spearheading worldwide efforts to dismantle the criminalized Avalanche platform.
See the video with the recipients talking about their five-year investigation that led to the the takedown.
The global cooperative efforts initiated by the German police and prosecutor’s office resulted in eight arrests, 500 court orders, 37 onsite searches and 39 servers seized worldwide. Over 800,000 domains were seized, blocked or had their traffic diverted to a safe server rather than one controlled by criminals – a process known as sinkholing – making it the largest law enforcement operation to redirect malicious domains to date.
“There was unprecedented cooperation worldwide, including registries in Russia and China taking down malicious domains, and support from smaller countries with lesser-known domains. We worked out some of the processes for collaborating better, and future takedowns and activities against cybercriminals will move even faster,” Bisping said in discussing the award.
A massive and complex criminal platform, Avalanche was used to deploy several attack vectors. Bots on the Avalanche network could determine if the targeted victim was accessing online banking and, if so, would plant key loggers and other malware on these systems to steal the user’s login credentials. Other users would be targeted with ransomware malware. The platform also was used to recruit money laundering “mules” with a convoluted scheme to move stolen funds and ransom out of the country of origin by diverting payments between contracted sources.
In announcing the award at the M3AAWG four-day meeting in Toronto, Canada, the organization’s Chairman of the Board Severin Walker said, “Global action is the only way to protect our local citizens. It’s our professional responsibility to take the initiative in identifying major threats and then reach out to the international community to help confront them. Chief Inspector Bisping and Senior Prosecutor Lange did just this and millions of end-users are much safer now and have benefited from their dedication.”
Five Years of Meticulously Detailed Investigation
The work behind the November 30, 2016 global Avalanche takedown started five years earlier when Bisping, with the Lower Saxony Police in Luneburg, began investigating a single cyberattack that appeared to be responsible for 200 local ransomware cases. In 2013, Lange, a senior prosecutor with the Public Prosecutor's Office in Verden, escalated the investigation to include more than 6,000 similar attacks throughout Germany. As the global scope and complexity of the Avalanche platform became known, they reached out to cybercrime experts such as the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE), which eventually analyzed over 130 TB of captured data to identify the botnet server structure.
Lange said, “We realized through reverse engineering and other detailed analysis that Avalanche was more than just a botnet or a network running a few types of malware; it was a complete infrastructure and it would be impossible to stop without the help of other countries. By this time, we were in a position to invite the international community to work with us on three goals: to take down the servers, issue arrest warrants to those running them, and sinkhole all the families of malware we identified on the platform.”
In July of 2015, German police officials asked the U.S. Federal Bureau of Investigation for assistance. This eventually led to the international takedown in late 2016 that diverted traffic headed to the known malicious domains to the collaboration team’s servers and to the arrests. The investigation and the subsequent operation also involved the European police agency Europol, the European Union's Judicial Cooperation Unit or Eurojust, the U.S. Department of Justice, cybersecurity organizations such as Shadowserver, and investigators and prosecutors in more than 40 countries.
The J.D. Falk Award recognizes a significant achievement that protects end-users and the people working behind the scenes to make a better online world. The 2017 award was announced at the M3AAWG 41st General Meeting in Toronto, Canada, with over 300 cybersecurity participants from around the world at the Oct. 3-5 event. M3AAWG also hosted UCENet (previously known as the London Action Plan) during the week. The M3AAWG 42nd General Meeting will be February 19-22, 2018 in San Francisco, USA.
About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.
The German Lower Saxony Minister of Justice, Antje Niewisch-Lennartz, congratulates both award winning recipients:
“The law enforcement agencies of Lower Saxony are fighting international crime in a persistent, effective and extremely successful manner.
The takedown of Avalanche is a testimony to the excellent international collaboration of the law enforcement agencies of participating states, as well as the support provided by authorities and private organizations. I am particularly pleased that this success is being acknowledged with this award by international entities.
Congratulations to the award recipients, as well as the various individuals whose behind-the-scenes efforts contributed to this success.”
The German Lower Saxony Minister for Internal Affairs and Sports, Boris Pistorius, commends and congratulates this extraordinary success:
“Lower Saxony set the course to fight cybercrime and related forms of criminality by establishing special investigation units to specifically fight crimes like this.
We are now in the process of hiring numerous additional external IT specialists. I was personally informed of the work that these special investigators performed onsite, particularly during the key phase of dismantling this criminal infrastructure.
I applaud the outstanding successes of this investigation; in regards to fighting the dynamic development of this criminal activity, this demonstrates that we are on the right path. Congratulations on this award, and my utmost respect; also to the many contributors, whose support and collaboration made this success possible.”
# # #
Media Contact: Linda Marcus, APR, +1-949-887-8887, LMarcus@astra.cc, Astra Communications
M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Oath (Yahoo and AOL); Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure.
M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM; iContact; Intel Security; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Sprint; Symantec; and USAA.
A complete member list is available at http://www.m3aawg.org/about/roster.