EC3 in cooperative action to target Dridex banking malware

News by SC Staff

EC3, NCA, FBI and a range of other bodies have targeted the Dridex banking malware, including using a sinkhole operation to sever communications between infected botnets and their controlling cyber-criminals.

Europol's European Cybercrime Centre (EC3) is working with the UK's National Crime Agency (NCA), the US Federal Bureau of Investigation (FBI) and the Shadowserver Foundation to help bring down Dridex banking malware, which EC3 says is believed responsible for £20 million of estimated losses in the UK and £6.5 million (US$10 million) in the US. Dridex, considered a sophisticated successor to Cridex banking malware, comes out of Eastern Europe, and targets online banking details; it has hit a variety of different payment systems breaching tens of thousands of organisations across 27 countries internationally.

Users are infected with Dridex malware through opening infected documents in phishing emails, usually while running Windows.

EC3, the Joint Cybercrime Action Taskforce, and various international law enforcement agencies and private partners (see below), are currently taking action against the malware with moves including the NCA and FBI both seeking to 'sinkhole' the malware, ‘poisoning'  its network of controlled computers, and so stopping its botnets from communicating with their command and control servers.

The US Department of Justice has also announced 30-year-old Andrey Ghinkul, known as Smilex, was arrested in Cyprus this August on suspicion of being the administrator of the Dridex botnet. The US is seeking his extradition. And Forbes reports Mike Hulett, head of operations at the NCA's National Cyber Crime Unit (NCCU) saying: “Our investigation is ongoing and we expect further arrests to made.”

In response to the announcement Kevin Epstein, VP of Threat Operations at Proofpoint emailed to comment: "Dridex has been the dominant document attachment-based malware over the last year--it accounted for more than 90 percent of such malware, and impacted organisations of all sizes. It was not unusual to see multiple campaigns per day, many consisting of millions of emails at a time. Mainly designed to steal banking credentials, Dridex was distributed by multiple botnets. Proofpoint observed a complete cessation of Dridex distribution for 30 days following the recent arrest of a reported botnet administrator. Campaigns have resumed in the past weeks and it's clear that Dridex isn't over. We are back to seeing daily campaigns that distribute millions of emails." 

In an another email to, David Emm, principle security researcher, Kaspersky Lab concurs, adding: “Although the FBI and National Crime Agency are conducting ongoing investigations, it is vital that we all take responsibility and remain extra vigilant of any suspect activity, reporting it immediately for the fight against cyber-crime. We recommend home and business users ensure their systems are scanned for the malware and patched where necessary, immediately use internet security protection software for any future attacks, don't click on any suspicious emails or links and ensure passwords remain as secure as possible.  Exploiting vulnerabilities in our passwords is a top priority for hackers and they are therefore often our first line of defence when it comes to protecting online transactions. In light of this recent attack, we need to make sure any passwords are changed and that we never use the same username and password on several different sites, as this is key to giving cybercriminals easy access to bank and ecommerce accounts.”

For Gerard Bauer, VP EMEA of Vectra Networks, one of the key lessons is the need for detection, telling SC: "The fact that Dridex has already siphoned £20 million from the UK shows that prevention is nice to have, but detection is a must. Today's organisations need to instead find ways to quickly intervene, minimise the time they are exposed and reduce the impact of cyberthreats. The good news is that in today's innovation era, we have technologies like machine learning and data science that can enable the discovery of future ‘unknowns', including new attach methodologies – all in real time.”

David Kennerley, senior manager for threat research at cyber-security firm Webroot emailed to comment about the scale of Dridex banking theft, saying: “Financial services is one of the most targeted sectors for malware due to the lucrative gains for hackers. This news follows on from the 385 million email addresses that were targeted by Dridex earlier in September. Attacks like these highlight the fact that no organisation is immune and that businesses really need to focus on educating employees.

"Comprehensive security systems are the first step, but prevention though knowledge is the key to stemming the onslaught of attacks we are seeing. Remember the delivery mechanism for Dridex is a simple email with a macro enabled attachment – as old school as it gets!”

George Quigley, partner in KPMG's Cyber Security practice, agrees, but notes that for the Dridex malware to be installed, macros must be enabled in the attachments, but given that Microsoft disables this by default, users need to enable macros for the malware to be installed – which many victims enable do, thus allowing the malware to install. His advice is very much standard anti-phishing best practice. He told SC: “Consumers really need to be extra vigilant with emails. In order to deal with this, people really shouldn't open emails that have attachments that they don't recognise, they should just delete them. If an email appears to come from a legitimate organisation, recipients should verify it with them first. More importantly, users need to make sure they have provisions in place to detect viruses and malware. Having an anti-virus and anti-malware solution is a must and keeping it up to date is as important. The same rule applies to the operating system; people need to make sure they have the latest software and operating system updates.”

Anyone who suspects they may be infected can download specialist disinfection software from visit or

In addition to EC3, the  FBI, NCA, and Shadowserver Foundation, Forbes says that other participants in the sinkhole programme include GCHQ, the Metropolitan Police Service, the BKA police service in Germany and Moldovan authorities as well as Dell SecureWorks, Fox-IT and S21sec,, and Spamhaus.

Separately, last week EC3 was involved in a successful takedown of cyber-criminals operating an online airline ticket scam. 50 members of this organised crime group suspected of payment card fraud were arrested in Operation Travel, led by the Romanian Police (Brigada de Combatere a Criminalitatii Organizate Craiova) supported by EC3 and the Italian State Police (Servizio di Polizia Postale e delle Comunicazioni.)

Illegally obtained credit card credentials were used by the criminals advertising the sale of fake plane tickets on the Internet. Digital evidence, including computers, mobile phones, SIM cards, memory cards and documents were seized in a series of raids on the criminals. The proceeds from the online fraud were also used to facilitate other crimes.

Europol's deputy director operations Wil van Gemert said in a press statement: "This coordinated action is yet another excellent example of how the combined forces of European law enforcement agencies, the IATA and the private sector are capable of severely disrupting criminal syndicates who rely on the outdated assumption that they are beyond the reach of law in cyber-space. Multi-stakeholder cooperation is essential to prove these cyber-criminals wrong, and support the airline industry in combating online fraudulent schemes."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews