Published Date: 2010-08-11
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in June 2014. [27906, 28257, 27306] 2. The software failure incident happened in November 2013. [23052] |
| System | 1. Gameover Zeus malware 2. Cryptolocker ransomware 3. Zeus v3 Trojan 4. CryptoLocker virus [27306, 27308, 23052] |
| Responsible Organization | 1. Cyber criminals behind the Gameover Zeus and Cryptolocker malware were responsible for causing the software failure incident [27906, 28257, 27306, 27308]. 2. The CryptoLocker virus was also mentioned as a lethal software causing a ransomware attack [23052]. |
| Impacted Organization | 1. Businesses and members of the public, including Pittsburgh based Reinforced Plastics of Erie and the Swansea, Massachusetts police department, were impacted by the Gameover Zeus and Cryptolocker malware attacks, resulting in financial losses and ransom payments [27308]. 2. Thousands of British internet bank customers were impacted by a sophisticated attack using a Trojan virus that stole confidential passwords and account details, resulting in financial losses [2631]. 3. Online banking customers, particularly small businesses, were vulnerable to the CryptoLocker virus attack, which encrypted files and demanded ransom payments [23052]. |
| Software Causes | 1. Cryptolocker ransomware, which locked people out of their computers, encrypted their files, and demanded payment to decrypt them [27906]. 2. Gameover Zeus malware, which stole banking passwords and was used to distribute Cryptolocker ransomware [28257, 27308]. 3. Zeus v3 Trojan, which encrypted computer files and demanded a ransom for their release [23052]. 4. Malicious software used in a sophisticated attack that stole confidential passwords and account details from online banking customers [2631]. |
| Non-software Causes | 1. Lack of adequate protection of file-sharing between employees in small businesses, making them vulnerable to attacks [27906]. 2. Failure of users to keep their computer's operating systems and software up to date, leaving them vulnerable to attacks [2631]. 3. Victims opening unsolicited email attachments containing malware, leading to the installation of harmful software on their computers [27308]. |
| Impacts | 1. The Cryptolocker ransomware, which encrypted files and demanded payment to decrypt them, extorted more than $30 million globally, affecting over 234,000 PCs worldwide [27906]. 2. The Gameover Zeus malware, along with Cryptolocker, stole more than $100 million from businesses and individuals since 2011, affecting between 500,000 and 1 million machines worldwide [27308]. 3. The Zeus v3 Trojan virus targeted thousands of British internet banking customers, resulting in at least £675,000 being illegally transferred from the UK in a month [2631]. 4. The CryptoLocker virus encrypted computer files and demanded a ransom, affecting users by locking them out of their files and threatening deletion if payment was not made [23052]. |
| Preventions | 1. Keeping anti-virus software up to date and ensuring firewalls are set to the highest level [Article 2631]. 2. Installing updates for operating systems and software to fix known vulnerabilities [Article 2631]. 3. Being cautious when handling unsolicited or unexpected emails, especially during the two-week window before hackers rebuild their network [Article 27308]. 4. Changing passwords as original passwords may have been compromised during the infection [Article 27308]. 5. Backing up all valuable data [Article 27308]. |
| Fixes | 1. Updating operating systems and security software on PCs [27906] 2. Installing anti-virus software and updating operating systems to the latest versions [27308] 3. Keeping anti-virus software up to date and firewalls set to the highest level [2631] 4. Changing passwords if original passwords may have been compromised during the infection [27308] 5. Backing up all valuable data [27308] | References | 1. Europol's European Cyber Crime Centre (EC3) - [27906] 2. Security firm Damballa - [27906] 3. Danish security firm Heimdal Security - [27906] 4. FBI - [27906, 28257, 58997] 5. National Crime Agency (NCA) - [2631, 27308] 6. Websense Security Labs - [23052] 7. Department of Homeland Security - [27308] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The Gameover Zeus malware, which stole banking passwords and encrypted files for ransom, has resurfaced in a new variant after being disrupted previously [Article 28257]. - The CryptoLocker virus, which encrypts computer files and demands a ransom, has been reported to be a lethal threat once again [Article 23052]. (b) The software failure incident having happened again at multiple_organization: - The Gameover Zeus malware, along with the CryptoLocker ransomware, has affected multiple organizations and individuals globally, leading to significant financial losses [Article 27308]. |
| Phase (Design/Operation) | design, operation | (a) In the case of the software failure incident related to the development phase of design, the articles mention the following: - The CryptoLocker virus was mentioned as a lethal threat that seizes control of computer files and demands a ransom, indicating a failure due to contributing factors introduced by system development or updates [Article 23052]. - The Gameover Zeus and Cryptolocker malware were sophisticated and immensely lucrative, affecting hundreds of thousands of PCs and causing financial losses, showcasing failures introduced during system development [Article 27308]. (b) In the case of the software failure incident related to the development phase of operation, the articles mention the following: - The Gameover Zeus malware infected hundreds of thousands of PCs, stole banking passwords, and demanded ransom, indicating a failure due to contributing factors introduced by the operation or misuse of the system [Article 27308]. - The Zeus v3 Trojan involved in attacks hid in adverts on legitimate websites, waiting for users to visit their online bank to steal account details and passwords, highlighting a failure in the operation of the system [Article 2631]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incidents described in the articles are primarily due to malware attacks such as Cryptolocker, Gameover Zeus, and CryptoLocker virus. These malware attacks involve malicious software that infects computers, encrypts files, demands ransom payments, and steals sensitive information like banking passwords. The malware operates within the system by exploiting vulnerabilities, infecting computers through email attachments or websites, and locking users out of their files until a ransom is paid. The attacks are sophisticated and highly damaging, affecting individuals, businesses, and even government agencies ([27906], [58997], [28257], [2631], [27308]). (b) outside_system: The contributing factors originating from outside the system in these software failure incidents include the actions of cybercriminals who launch the malware attacks. The hackers behind the malware attacks are described as an international crime ring, with Russian-led hackers being specifically mentioned. These cybercriminals operate from Eastern Europe and other locations, targeting individuals, businesses, and organizations globally. The attacks involve social engineering tactics like phishing emails with malicious attachments, exploiting vulnerabilities in software, and using sophisticated malware to compromise systems ([27906], [58997], [28257], [2631], [27308]). |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The CryptoLocker virus, a lethal ransomware, seizes control of computer files and threatens to erase them unless a ransom is paid. It is spread through malicious email attachments and encrypts files, making them inaccessible [Article 23052]. - The Gameover Zeus malware, along with Cryptolocker, infected hundreds of thousands of PCs worldwide, stealing over $100 million since 2011. The malware stole banking passwords and encrypted files, demanding ransom for their release [Article 27308]. (b) The software failure incident occurring due to human actions: - The Gameover Zeus and Cryptolocker malware were part of an international crime ring led by hackers, including Russian Evgeniy Mikhailovich Bogachev, who stole over $100 million from businesses and individuals. The malware was used to steal banking passwords and encrypt files for ransom [Article 27308]. - The Zeus v3 Trojan, spread through malicious PDF attachments, was used to steal confidential passwords and account details from at least 3,000 customers of an online bank, resulting in illegal transfers of at least £675,000. The attacks were traced to a control and command center in Eastern Europe [Article 2631]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - The articles do not mention any software failure incident occurring due to contributing factors originating in hardware. (b) The software failure incident occurring due to software: - The software failure incidents mentioned in the articles are primarily due to contributing factors originating in software. These incidents involve malware such as Cryptolocker, Gameover Zeus, and Zeus v3 that infected computers, encrypted files, stole banking passwords, and demanded ransom payments [27906, 58997, 28257, 2631, 27308]. These incidents highlight how cybercriminals used malicious software to exploit vulnerabilities in systems and compromise data, leading to financial losses and disruptions. |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) The software failure incident related to malicious intent: - The articles discuss incidents involving malicious software such as Cryptolocker and Gameover Zeus, which were designed to extort money from victims by encrypting their files and demanding ransom payments [27906, 58997, 28257, 27306, 27308]. - These malware programs were created by cybercriminals with the intent to steal money from individuals, businesses, and organizations [27906, 58997, 28257, 27306, 27308]. - The attackers behind these malware programs demanded ransom payments in hard-to-trace virtual currencies like Bitcoin, showing a deliberate intent to profit from their malicious activities [27906, 58997, 28257, 27306, 27308]. (b) The software failure incident related to non-malicious factors: - The articles also mention incidents where users unknowingly downloaded malware through email attachments or malicious websites, leading to their computers being infected [2631, 23052]. - In some cases, users were targeted through phishing emails containing malware attachments, which exploited vulnerabilities in their systems [2631, 23052]. - The attacks were facilitated by users not keeping their operating systems and software up to date, leaving their computers vulnerable to cybertheft [2631, 23052]. |
| Intent (Poor/Accidental Decisions) | unknown | (a) The intent of the software failure incident: - The software failure incidents related to the Gameover Zeus and Cryptolocker malware were intentional and malicious in nature. The cybercriminals behind these malware programs had the intent to steal banking passwords, encrypt files, and extort money from victims [27308]. - The malware programs, such as Gameover Zeus and Cryptolocker, were designed to seize control of computer files, threaten to erase them unless a ransom was paid, and demand payment via hard-to-trace Bitcoin [23052]. - The criminals behind the malware attacks were highly sophisticated and aimed to hold personal and important files stored on victims' computers for ransom [27308]. (b) The software failure incidents were not due to accidental decisions or mistakes. |
| Capability (Incompetence/Accidental) | accidental | (a) The articles do not provide information about the software failure incident occurring due to development incompetence. (b) The software failure incidents reported in the articles were accidental in nature. The incidents involved cybercriminals using malicious software like Cryptolocker and Gameover Zeus to infect computers, steal banking information, encrypt files, and demand ransom payments [27906, 58997, 28257, 2631, 27308]. The infections were spread through spam emails, malware attachments, and malicious websites, leading to financial losses for individuals and businesses. The attacks were not intentional software development failures but rather deliberate criminal activities aimed at exploiting vulnerabilities in computer systems. |
| Duration | temporary | (a) The software failure incident described in the articles is temporary. The incident involved malware such as Gameover Zeus and Cryptolocker that infected hundreds of thousands of PCs, stole banking passwords, encrypted files, and demanded ransom payments. Law enforcement agencies, including the FBI, worked to disrupt the criminal operations behind the malware, leading to a temporary disablement of the malicious software. Victims were urged to update their operating systems, install anti-virus software, and take precautions to protect their computers from being reinfected [Article 27308]. The incident was part of a cybercrime ring that stole more than $100 million from businesses and individuals since 2011. The malware used in the attacks, such as Gameover Zeus and Cryptolocker, were sophisticated and lucrative schemes that encrypted files and demanded ransom payments. The international effort by law enforcement agencies disrupted the network of infected machines, providing a window of opportunity for computer users to protect themselves from the malware [Article 27308]. |
| Behaviour | crash, omission, value, other | (a) crash: The articles describe incidents related to the Cryptolocker ransomware and Gameover Zeus malware, which caused systems to crash by locking people out of their computers, encrypting their files, and demanding ransom payments to decrypt them. This behavior aligns with a crash as the system loses its state and fails to perform its intended functions [27906, 58997, 28257, 27306, 27308]. (b) omission: The malware incidents resulted in the omission of the system to perform its intended functions at instances where users were unable to access their files or had their files encrypted, leading to data loss or being locked out of their computers until a ransom was paid [27906, 58997, 28257, 27306, 27308]. (c) timing: The timing aspect is not explicitly mentioned in the articles as a specific behavior of the software failure incidents. (d) value: The software failure incidents involved the system performing its intended functions incorrectly by encrypting files, demanding ransom payments, and causing financial losses to individuals and businesses [27906, 58997, 28257, 27306, 27308]. (e) byzantine: The articles do not provide information indicating a byzantine behavior of the software failure incidents. (f) other: The other behavior observed in the software failure incidents is the extortion of money from victims by threatening to delete their files or locking them out of their computers until a ransom is paid, which can be categorized as a form of coercion or extortion [27906, 58997, 28257, 27306, 27308]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property | (d) property: People's material goods, money, or data was impacted due to the software failure The articles discuss how the software failures, particularly the Cryptolocker and Gameover Zeus malware incidents, resulted in financial losses for individuals and businesses. The malware encrypted files on victims' computers and demanded ransom payments in exchange for decrypting the files, leading to significant monetary losses. For example, the Gameover Zeus malware stole more than $100 million from businesses and individuals since 2011 [27308]. Additionally, the CryptoLocker virus threatened to erase computer files unless a ransom was paid, affecting individuals and small businesses who had their documents locked [23052]. These incidents demonstrate how people's material goods, money, and data were impacted by the software failures. |
| Domain | information | (a) The failed system was intended to support the production and distribution of information. The articles discuss incidents related to malware such as Cryptolocker and Gameover Zeus that targeted individuals and businesses, encrypting files and demanding ransom payments to decrypt them, affecting data and information stored on computers [27906, 58997, 28257, 2631, 27308]. (b) The transportation industry was not specifically mentioned in the articles. (c) The failed system was not directly related to the extraction of natural resources. (d) The failed system was not directly related to sales transactions. (e) The failed system was not directly related to the construction industry. (f) The failed system was not directly related to the manufacturing industry. (g) The failed system was not directly related to utilities services. (h) The failed system was not directly related to the finance industry, although there were mentions of ransom payments and financial losses due to the malware attacks. (i) The failed system was not directly related to the knowledge industry. (j) The failed system was not directly related to the health industry. (k) The failed system was not directly related to the entertainment industry. (l) The failed system was not directly related to the government industry. (m) The failed system was not directly related to any of the industries mentioned in options (a) to (l). |
Article ID: 27906
Article ID: 58997
Article ID: 28257
Article ID: 27306
Article ID: 2631
Article ID: 23052
Article ID: 27308