Editor at Large

The top online banking fraud cybergang, Dridex, has recently stepped up its attacks and added ransomware to its repertoire.

Dridex malware already accounts for half the financial cybercrime against financial institutions, according to the security firm Symantec, citing the number of computers the group infects. (The second-largest malware used, Dyre, was recently disabled.) The group and its botnet send millions of phishing emails a day, in one to five daily runs, and manages to infect an average of 3,000 to 5,000 computers a day.

"We've had peak periods when it's more than that," said Kevin Haley, director of security response at Symantec, including some high peaks earlier this year.

This is a threat to banks' online banking security on multiple levels. Not only are hackers breaking into employee and customer computers to steal online banking credentials and commit fraud, they're also learning how to lock files and drives throughout a company's network, rendering it helpless until it pays a ransom, as Presbyterian Hospital in Hollywood found out in February.

How Dridex Works

"Dridex is the 800-pound gorilla in the banking Trojan space," said Stu Sjouwerman, founder of the security firm KnowBe4. "They are a large Russian cybergang that's been in that space for years, and they have a sizable infrastructure already in place with their highly sophisticated banking Trojans."

Dridex programmers offer their banking Trojan to other cybercriminals in an underground twist on the software-as-a-service model.

Not just anyone can buy it, though. You have to know the right people.

"They make malware available through a service offered to a limited clientele," said John Miller, director of the ThreatScape Cyber Crime service at iSIGHT Partners, a security research and analysis company owned by FireEye. "Then those clients, once they've distributed copies of the malware they receive through the subscription, are able to exploit compromised machines in their fraud operations."

Like most malware, Dridex (which also goes by the names Cridex and Bugat) usually worms its way onto computers through phishing attacks. Fake emails containing malicious files are sent to unsuspecting victims, who click on them and allow malware to seep into their computers. The malware lurks on the user's computer, watching everything she does and waiting for her to do some online banking, at which point it uses keystroke logging or web injections to steal her user name and password, which are then used to steal money from her bank account or her company's account.

The Dridex Trojan is programmed to look for 300 financial institutions, mostly in the U.S. and U.K., including the largest American banks. "They add more and more financial institutions to the list all the time," Haley said. "They want to get the biggest bang for the buck."

In October, the FBI estimated at least $10 million in losses in the U.S. could be attributed to Dridex.

At the same time, the Department of Justice announced that it, the FBI and the U.K.'s National Crime Agency had disrupted the Dridex botnet. A Moldovan administrator of the botnet, Andrey Ghinkul, was arrested on August 28, 2015 in Cyprus.

"Through a technical disruption and criminal indictment we have struck a blow to one of the most pernicious malware threats in the world," a U.S. attorney declared at the time.

However, early this year, a wave of phishing emails unleashed more Dridex malware into the wild than ever before, according to Symantec.

Brian Krebs, author of the popular blog KrebsonSecurity.com, said for the Dridex gang to be stopped, law enforcement would have to go after their infrastructure.

"If the authorities want to go after these groups, what they need to do is compromise or backdoor the money mule networks these guys use to cash out their victims," he said. "The [bad guys] were sharing the infrastructure before. I guarantee they're still sharing it now. The authorities know how to infiltrate and take down money mule networks. They've done it before. They did it with Zeus," another form of malware used by criminals.

The Dridex gang's recovery from the FBI sting also shows how well it's run, Haley observed.

"Like a real company, there's a lot of effort to be resilient, to be able to stay in business and do disaster planning," he said. "Clearly, having members of your gang arrested should be a disaster. But to pick off one or two people is not enough. The botnet that they control has a peer-to-peer quality. It's very difficult to take down and you could cut off one head but multiple other heads remain."

New Product Line: Ransomware

While the Dridex group's phishing and online banking fraud work hasn't abated, it's recently added ransomware as a sideline. Ransomware is malware that encrypts and locks the files on a user's computer and sends a message demanding payment in order for the files to be unlocked.

"We've seen the distribution operations that are used to support Dridex also spreading Locky, a type of ransomware," Miller said.

According to Forbes, Locky ransomware is infecting more than 90,000 systems a day.

In January, the FBI warned of the rise of ransomware. "Ransomware has been around for several years, but there's been a definite uptick lately in its use by cyber criminals," the agency said in a press release.

"Everybody's getting more into ransomware, why wouldn't you?" Krebs said. "It's a no-brainer. Two percent of the people pay. You just have to be prolific, that's all."

Right now, such attacks are opportunistic, Krebs said. "The ransomware attacks will get a lot more expensive, and soon," he said.

Sjouwerman is certain banks are being targeted by the ransomware.

"You will never find a bank that's willing to admit it has been targeted, has been infected and paid a ransom," he said. "That would be an immediate loss of half their deposits. It ain't going to happen. However, I'm sure they're being targeted."

And ransomware has dangers beyond the initial computer it hits.

"They're not just trying to infect your workstation and lock your files on you workstation; they're trying to go for any network drive they can find," Sjouwerman said. "That's where the risk is. This is what happened at Presbyterian Hospital in Hollywood."

Why People Fall for It

The Dridex perpetrators have gotten good at disguising malware as an invoice in their phishing attacks.

"If you got a bill in an email that looks like it came from someone you did business with, you're liable to click on it just to see what's going on," Haley said. "That's one of the things that make these guys so effective."

Krebs said in some cases, hackers will post fake resumes on job boards and collect the emails of people who respond to them — people in charge of HR and hiring.

"They target those people with phishing, so they can get access to their accounts and before you know it they've spammed the world with this stuff," including the people applying for the jobs, he said. "It's easy to say, 'Why do people click on this stuff?' But if you've been out of work for six months and you're looking at being able to make your rent payment, and someone offers you a work-from-home job to make two grand a month, a lot of people would say, 'Hey, that's exactly what I need.' They're not asking too many questions."

It's also easy for malware to exactly spoof an email address, Sjouwerman pointed out, as he sent me an email that appeared to be from my own account. An email directly from your boss's or CEO's email address is hard to ignore.

The Best Defenses

Attacks like Dridex are hard for banks to block because they have no control over their customers' computers. They can, of course, try to stop the malware from creeping into employees' desktops. Education and two-factor authentication are the two best ways to prevent employees from clicking on malicious email attachments.

"Defense in depth starts with the outer layer — the mushy, human layer of policy, procedure and awareness," Sjouwerman said. "If you get a request from your CEO, it's OK to say no to your CEO and double-check and text or call him. You need to have a policy in place." He also advises conducting phishing tests to see if employees will click on things they shouldn't.

To fight ransomware, Sjouwerman recommends blocking all emails with .zip extensions or macros at the email gateway level. He also suggests disabling Adobe Flash Player, Java and Silverlight if possible, as these are used as attack vectors.

Fraud detection software is the next line of defense, to spot the signs of unusual activity and block fraudulent money transfers.

But perhaps the best defense against ransomware is good backup. If a company knows its files and applications are well-replicated, it can say no to a ransom demand, shut down the infected machine and start fresh on a new computer.

There are and will continue to be other threats to online banking security. Mastering a defense against Dridex could go a long way toward deflecting others.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.