One of the world’s most infamous cyber crime gangs has created custom-made ransomware for victims, blackmailing them for millions of pounds.
The Dridex group has spent years targeting financial institutions, among others, using viruses to spy on victims and then authorise fraudulent transfers from their corporate accounts.
But as banks have got better at spotting dodgy transactions, the group has switched tactics, according to security researchers at Fox-IT.
“They know the victim’s net worth but instead of doing a financial transaction for the money, they extort the victim for that same or similar amount of money,” said Fox-IT’s principal security expert Michael Sandee.
Ransomware scrambles a victim’s files before demanding a payment to unscramble them, and Sandee’s team have seen ransomware tailor-made for individual victims. The hackers used “dark web” sites to make the demands, the amounts of which varied according to size of the target’s bank balance.
“They… had a dark web site that had the information of that specific victim, it was compiled just for that victim, so it was a specific URL,” said Sandee, who claims the hackers have begun targeting UK companies in the last few years.
The Dridex group usually gains access to victims by sending phishing emails loaded with a virus which, when triggered, enables them to see all the activity on a victim’s computer. Traditionally they watched how the victim made payments and then copied that process to sneak through fraudulent transactions.
The group’s activity was disrupted in October 2015 when the FBI captured some of its infrastructure and jailed one of it members. But Fox-IT, NCC Group’s Netherlands subsidiary, says the gang is still active.
They tended to use ransomware as a last resort when they had exhausted other profitable options, because the extortion demand immediately tips off a victim to the hack, rather than allowing the hackers to remain hidden.
But now Fox-IT believes Dridex hackers are now going straight to ransomware, using their backdoor access to work out how to smuggle the ransomware infection through the victim’s system. The ransomware is encrypted before it is sent, and the hackers are tailor-making the encryption too.
“They knew which anti-virus [software] was running at each victim, and they asked the person who does the encrypting to protect it against this specific anti-virus family to make sure that it doesn’t detect that specific sample,” said Sandee.
Fox-IT claims there have been at least 200 successful attacks, demanding ransoms of between £15,000 and £300,000. They believe the total number of attacks may be much higher.
Companies have been advised that making back-ups of their data can help them recover from a ransomware attack. But an email from Dridex shared with Forbes showed the hackers are specifically targeting back-up drives that are connected to the victim’s network.