The top online banking fraud cybergang, Dridex, has recently stepped up its attacks and added ransomware to its repertoire.
Dridex malware already accounts for half the financial cybercrime against financial institutions, according to the security firm Symantec, citing the number of computers the group infects. (The second-largest malware used, Dyre, was recently disabled.) The group and its botnet send millions of phishing emails a day, in one to five daily runs, and manages to infect an average of 3,000 to 5,000 computers a day.
"We've had peak periods when it's more than that," said Kevin Haley, director of security response at Symantec, including some high peaks earlier this year.
This is a threat to banks' online banking security on multiple levels. Not only are hackers breaking into employee and customer computers to steal online banking credentials and commit fraud, they're also learning how to lock files and drives throughout a company's network, rendering it helpless until it pays a ransom, as Presbyterian Hospital in Hollywood found out in February.
How Dridex Works
"Dridex is the 800-pound gorilla in the banking Trojan space," said Stu Sjouwerman, founder of the security firm KnowBe4. "They are a large Russian cybergang that's been in that space for years, and they have a sizable infrastructure already in place with their highly sophisticated banking Trojans."
Dridex programmers offer their banking Trojan to other cybercriminals in an underground twist on the software-as-a-service model.
Not just anyone can buy it, though. You have to know the right people.
"They make malware available through a service offered to a limited clientele," said John Miller, director of the ThreatScape Cyber Crime service at iSIGHT Partners, a security research and analysis company owned by FireEye. "Then those clients, once they've distributed copies of the malware they receive through the subscription, are able to exploit compromised machines in their fraud operations."
Like most malware, Dridex (which also goes by the names Cridex and Bugat) usually worms its way onto computers through phishing attacks. Fake emails containing malicious files are sent to unsuspecting victims, who click on them and allow malware to seep into their computers. The malware lurks on the user's computer, watching everything she does and waiting for her to do some online banking, at which point it uses keystroke logging or web injections to steal her user name and password, which are then used to steal money from her bank account or her company's account.
The Dridex Trojan is programmed to look for 300 financial institutions, mostly in the U.S. and U.K., including the largest American banks. "They add more and more financial institutions to the list all the time," Haley said. "They want to get the biggest bang for the buck."
In October, the FBI estimated at least $10 million in losses in the U.S. could be attributed to Dridex.
At the same time, the Department of Justice announced that it, the FBI and the U.K.'s National Crime Agency had disrupted the Dridex botnet. A Moldovan administrator of the botnet, Andrey Ghinkul, was arrested on August 28, 2015 in Cyprus.
"Through a technical disruption and criminal indictment we have struck a blow to one of the most pernicious malware threats in the world," a U.S. attorney declared at the time.
However, early this year, a wave of phishing emails unleashed more Dridex malware into the wild than ever before, according to Symantec.
Brian Krebs, author of the popular blog KrebsonSecurity.com, said for the Dridex gang to be stopped, law enforcement would have to go after their infrastructure.
"If the authorities want to go after these groups, what they need to do is compromise or backdoor the money mule networks these guys use to cash out their victims," he said. "The [bad guys] were sharing the infrastructure before. I guarantee they're still sharing it now. The authorities know how to infiltrate and take down money mule networks. They've done it before. They did it with Zeus," another form of malware used by criminals.
The Dridex gang's recovery from the FBI sting also shows how well it's run, Haley observed.
"Like a real company, there's a lot of effort to be resilient, to be able to stay in business and do disaster planning," he said. "Clearly, having members of your gang arrested should be a disaster. But to pick off one or two people is not enough. The botnet that they control has a peer-to-peer quality. It's very difficult to take down and you could cut off one head but multiple other heads remain."
New Product Line: Ransomware
While the Dridex group's phishing and online banking fraud work hasn't abated, it's recently added ransomware as a sideline. Ransomware is malware that encrypts and locks the files on a user's computer and sends a message demanding payment in order for the files to be unlocked.
"We've seen the distribution operations that are used to support Dridex also spreading Locky, a type of ransomware," Miller said.
According to Forbes, Locky ransomware is infecting more than 90,000 systems a day.