Tuesday, March 15, 2016

Deadly Dridex Gang Muscles Into Ransomware Racket

March 15, 2016 -- Ransomware is moving rapidly into the malware mainstream. One of the driving factors is the high dollar numbers being racked up by the notorious Dridex banking Trojan gang muscling into ransomware with their new Locky strain. Locky was linked to the Dridex gang by IT security companies Palo Alto Networks and Proofpoint. The Russian Dridex group is the most prominent operating banking malware and has taken the lead over from CryptoWall.

According to KnowBe4 CEO, Stu Sjouwerman, “Ransomware is seeing unprecedented growth with cyber-gangs competing for criminal market share. This competition has spurred furious innovation in strategy and tactics and we see ransomware taking the lead in criminal business models. It isn’t going to get easier. The only way around these tactics are to recognize the Red Flags and inoculate your employees with effective security awareness training and simulated phishing tests.”

The Dridex Locky ransomware strain isn't more sophisticated than other latest generation crypto-ransom malware, but it is rapidly spreading to victim systems. Forbes claims Locky is infecting approximately 90,000 systems per day (that’s over 1 per second) and it typically asks users for 0.5-1 Bitcoin (~420 dollars) to unlock their systems. Locky is disseminated through phishing emails containing Microsoft Word attachments. Each binary of Locky is reportedly uniquely hashed; consequently, signature-based detection by a traditional antivirus product is nearly impossible.

The Dridex gang is the 800-pound gorilla in banking Trojans. Apparently they have seen the profit potential of ransomware and leveraged their extensive criminal infrastructure to get their Locky strain infecting as many machines as possible. Consequently, financial institutions are likely the next major sector to be actively targeted. The FBI just stated that the threat from ransomware is expected to grow, according to an interview in the WSJ.

In the past few days, the Dridex botnet has sent at least 4 million phishing emails with a zip file as the attachment. The zip file contains a JavaScript file which downloads and installs Locky.

What to do about it
1. Block any and all emails with .zip extensions or macros at your email gateway level.
2. Disable Adobe Flash Player, Java and Silverlight if possible. These are used as attack vectors.
3. Step all employees through effective security awareness training, so they can recognize the red flags related to ransomware attacks.
4. Print out this free job aid, laminate it, and hand it out to employees so they can pin it on their wall. 
5. Do a phishing security test on your users and find out if they are going to click on something they shouldn't. 

SOURCE:  Michael Becce, MRB Public Relations, Inc.