The Retadup malware which had been deployed on hundreds of thousands of computers around the world to secretly mine the Monero cryptocurrency and commit other illegal acts may finally be over.
According to the BBC, the backend infrastructure of the Retadup Monero cryptojacker which is estimated to have infected over 850,000 computers across the globe has been destroyed by the Cybercrime Fighting Center (C3N) of the French police service.
Retadup Monero cryptojacker tricked into self-deleting
The ‘cybergendarmes’ annihilated the network of computers that were infected with the Monero cryptojacker after being tipped off about the botnet’s location by Avast cybersecurity software firm. Retadup’s backend infrastructure was located in the Paris region.
After accessing Retadup’s backend infrastructure, Avast and C3N instructed the worm to self-delete on all the infected computers that were online.
Congratulations to @Gendarmerie and Avast on the #Retadup botnet takedown. Based on the supported commands, it sounds like an update was pushed, presumably to replace the bot’s AutoIt script with an empty file. Here’s the relevant code (deobfuscated). pic.twitter.com/mrJp9KNemq
— Tillmann Werner (@nunohaien) August 28, 2019
While the malware was globally prevalent, most of the infected computers were located in Central and Latin America. The hardest-hit country was Peru followed by Venezuela, according to Avast.
Besides France, Retadup also possessed some backend infrastructure in the United States. Other than mining the Monero cryptocurrency secretly on the infected computers, Retadup also to a lower extent stole passwords and planted ransomware.
How much XMR has the cryptojacking malware earned?
According to the C3N commander, Colonel Jean-Dominique Nollet, the Retadup worm managed to mine Monero worth “several million euros a year” as Europe1 reported.
Some of the seized servers belonging to Retadup had also been mining Monero. While they were found to have only mined around 53.72 Monero coins worth around $4,230 at current prices, this is believed to only be a tiny fraction of what the entire network generated.
According to Avast, the Monero cryptojacker had a preference for computers with multiple cores due to the higher computing power. Virtually all the infected computers were running Windows operating system. Over 50 percent of the computers infected with the Monero cryptojacker were running Windows 7 OS.