The other shoe has dropped for Paras Jha, a 22-year-old New Jersey man who’s one of a trio of Mirai botnet authors sentenced in September. Besides the probation, community service and fines handed out by an Alaskan court last month, Jha has now been given a far stiffer fine from a New Jersey court for launching an attack on the network of Rutgers University.
He’s looking at paying $8.6m in restitution, and he’s been sentenced to six months of house arrest.
The US Attorney’s Office in New Jersey on Friday said that distributed denial of service (DDoS) attacks on the networks of Rutgers University “effectively shut down Rutgers University’s central authentication server,” which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments.
At times, Jha succeeded in taking the portal offline for multiple consecutive periods, causing damage to Rutgers University, its faculty, and its students.
In September, an Alaskan court had sentenced the three Mirai botnet authors to probation, community service and fines.
It seemed like a light sentence, considering the vast damage done by the botnet.
The three Mirai authors – besides Jha, they included Josiah White, 21, of Washington, PA; and Dalton Norman, 22, from Metairie, Louisiana – pleaded guilty to writing and implementing the code that led to the Mirai malware, which ensnared more than 300,000 Internet of Things (IoT) devices; launching multiple distributed DDoS attacks (including, unwisely, against security journalist Brian Krebs, whose response was to track them down and unmask them); renting the botnet out to third parties and then extorting money from hosting companies in exchange for not being targeted, or selling uniquely tailored “services” to victims in order to fend off such attacks; scanning for vulnerable devices to attack; and click fraud.
…All of which was estimated to have caused damage in excess of $100m.
The FBI’s take: Yes, but they’re such smart guys! Let’s keep them around! And hence did the three wind up sentenced to five years’ probation and 2,500 hours of community service, some of which will be spent working with/for the FBI.
The men were also ordered to pay $127,000 in restitution for the damage caused by their malware, and voluntarily give up significant chunks of cryptocurrency seized during the course of the investigation.
Prior to sentencing, the three also collectively worked for what the FBI estimated was more than 1,000 hours: equivalent to about six months of full-time work. Their efforts have made a serious contribution in nationwide and even global law enforcement and security efforts, the government said, and included helping to chase what appeared to be an Advanced Persistent Threat (APT) from a nation-state hacking group; working with the FBI in advance of Christmas 2017 to help mitigate a tsunami of DDoS attacks; and working undercover, both online and offline, including traveling to “surreptitiously record the activities of known investigative subjects,” and working with overseas law enforcement to “ensur[e] a given target was actively utilizing a computer during the execution of a physical search,” according to court documents.
Jha had been enrolled as a computer science student at Rutgers at the time of the DDoS attacks. DDoSing your school and having to pay millions in restitution is one hell of a way to part ways with an educational institution. Rutgers deserved better than that kind of treatment.
Let’s hope that this is the end of Jha’s courtroom journey and the beginning of using his talents for good by continuing his work with the FBI and keeping his nose clean.