Avalanche was an international criminal syndicate that carried out hundreds of thousands of attacks on private and corporate computer systems, infecting them with various types of malware. The network - one of the largest known botnet infrastructures in the world - was comprised of 20 botnets, which used the infrastructure to disseminate spam and phishing e-mails, as well as malicious software such as ransomware (extortion trojans) and banking trojans.

On 30 November 2016, the Verden public prosecutor's office, together with the Lüneburg Central Criminal Inspectorate (ZKI) and other international partners, took down Avalanche. The Federal Office for Information Security (BSI) played a supporting role in this process. As part of the takedown, sinkhole servers were used to identify IP addresses that were being used for devices infected with malware. The security and information measures initiated at the end of 2016 were extended by another year in November 2017. Until this point, the number of infections being traced back to Avalanche had reduced, particularly in Germany; infections attributed to the group were down to around 40 percent of the original figure.

After the takedown

Victims are advised to check their devices for malware infections and tighten up their security. The malware on the affected systems was not deleted by the destruction of the botnet infrastructure. It is therefore impossible to rule out the possibility of the perpetrators regaining control of the respective botnets at a later point in time. With this in mind, those affected should take action as soon as possible. This action is also recommended for users who have not received any communication from their provider.

To the best of the BSI's current knowledge, the botnet was primarily made up of Windows systems and Android smartphones. However, it is impossible to rule out the possibility of infections also affecting smartphones that run on Apple iOS or Microsoft Windows Phone, or operating systems such as Apple's OS X or Linux. As far as we know, no Internet of Things devices such as webcams, printers or television receivers are part of the relevant botnets.

For recommendations on how to tackle malware, background information on provider notifications and lots more information, check out our botnet FAQs.

Malware within the Avalanche botnet infrastructure

Known botnet families (malware) that were found in the Avalanche botnet infrastructure are presented below. Please note that the manufacturers of virus protection programs do not name the botnet families uniformly. Frequently, generic names such as "Downloader.XYZ" are also displayed in the case of detections.

• Andromeda/ Gamarue

• Bolek

• Citadel

• Corebot

• Dofoil/ Smoke Loader

• Gozi2

• KINS/ VMZeus

• Marcher

• Matsnu

• Nymaim

• Panda Banker

• Ranbyus

• Rovnix

• Smart App

• TeslaCrypt

• Tiny Banker/ Tinba

• Trusteer App

• URLZone/ Bebloh

• Vawtrak

• Xswkit