Dell, FBI and NCA bring down botnet behind £20m cyber bank heist

Malware-slinging Dridex servers seized, while one arrest has been made

A pernicious malware botnet involved in the theft of 20 million from UK bank accounts has been taken down by Dell SecureWorks, the FBI, the UK National Crime Agency (NCA), and the Shadowserver Foundation.

Known as Dridex, the banking Trojan is spread through email attachments. In the past this involved an infection embedded in the attachment that would exploit vulnerabilities in the user's operating system, but recent analysis by the Dell SecureWorks Counter Threat Unit (CTU) found Dridex was being spread by macros in Microsoft Word documents, which were also delivered as attachments.

The NCA estimates that at least 20 million has been stolen by the operators of the botnet from UK bank accounts alone, with France also heavily targeted. In the US, the figure is thought to be about $10 million (6.5 million).

With the help of the NCA, FBI and Shadowserver Foundation, Dell CTU developed a strategy to poison Dridex's extensive botnet, redirecting the infected systems to a "sinkhole".

Advertisement - Article continues below
Advertisement - Article continues below

One of Dridex's so-called sub-botnets, number 220, consisted of around 4,000 bots. To put this in context, 220 is just one of 13 sub-botnets discovered so far by the researchers.

Brett Stone-Gross, one of the members of Dell SecureWorks CTU, said: "The takedown of the Gameover Zeus botnet in June 2014 as part of Operation Tovar left a void in the cybercriminal community, particularly for those targeting financial institutions."

"To fill this gap, threat actors created new botnets, including Dridex and Dyre. CTU researchers have observed a significant overlap in the tactics, techniques, and procedures (TTPs) between Gameover Zeus and bothDridex and Dyre, indicating that previous affiliates had moved on to new botnet business ventures and were continuing to carry out their fraudulent activities," he added.

Europol, GCHQ and the Moldovan authorities have also announced a "significant arrest" resulting from the disruption of Dridex, with more expected to follow. The 30-year-old man arrested was wanted by the US.

Candid Wueest, a threat researcher with Symantec, noted: "Take-downs of this kind have directly contributed to a slow-down in use of financial Trojans. Despite the criminals' best efforts, financial Trojan infections decreased by 35 percent in 2014, thanks in part to the efforts of different law enforcement agencies in cooperation with the security industry."

However, Wueest added: "It is clear that these operations have had some success but cutting off one head of the Hydra won't kill it. Whilst largescale operations and collaboration needs to continue, consumers and businesses can help armour themselves against these threats."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019

Best antivirus for Windows 10

3 Sep 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020