Aided by the Czech antivirus firm Avast, the C3N cybercrime unit of the French National Gendarmerie recently hacked into the command and control servers of the criminal gang responsible for spreading the Retadup malware.
Police say they used a copy of the server to hack into the real one, which C3N tracked to a location somewhere in the Paris region, and ordered the program to delete itself from the roughly 850,000 computers it had infected. The operation began on July 2 and extended over 45 days, concluding on August 19, ZDNet reported.
Avast explained in a Wednesday report that the malware had begun as a simple trojan that collected information on the computers it infected, which were mostly in Latin America, but that it had more recently become a complex worm that would sell "installspace" to other, more nefarious malware, providing a way through the computer’s antivirus defenses once it had become infected.
Another iteration of the virus would download and run a Monero miner upon installation. That operation generated the hackers about $4,500 in the cryptocurrency, but ZDNet reported this might have only been part of their profits.
Avast noted that 85% of the infected computers had no antivirus protection software.
“Don’t click on links if you’re not sure who sent you the email,” C3N chief Colonel Jean-Dominique Nollet told French radio on Tuesday. “Don’t click on attachments either, and use up-to-date antivirus programs, even free ones. And try not to do anything stupid on the internet.”
Avast highlighted a Twitter account named “black joker” that boasted of the Monero mining worm in 2018, saying “it’s my baby.” No arrests have been made, but ZDNet reported that after their story was published Wednesday, security researchers from Under the Breach were able to track down the virus’ identity using domain registration data, identifying him as a 26-year-old Palestinian.