Dridex: What You Need to Know About the £20 Million-Stealing Malware

The U.K.'s National Crime Agency (NCA) has warned U.K. citizens that they could be victims of an international cyberscam that could have already stolen 20 million pounds ($30.9 million) from British bank accounts.

The malware, which is principally known as Dridex but also called Bugat and Cridex, is believed to have originated from hackers in Eastern Europe. The criminals behind the virus are now being hunted by the NCA, together with the FBI in the U.S., where the Department of Justice announced on Tuesday that a Moldovan hacker had been arrested.

Europol, the European Union's law enforcement agency, is also providing assistance in Europe, as well as German and Moldovan authorities and private computer security companies.

Newsweek spoke to Alan Woodward, a computing professor at the University of Surrey and advisor to Europol on cybercrime, about why this piece of malware has drawn the attention of some of the world's most powerful legal administrations.

What is Dridex?

Dridex is a form of malware (malicious software) that is spread via phishing emails, where recipients open infected documents or attachments to apparently legitimate emails. The malware infects the recipient computer and waits for the user to log in to their online banking account, from where it steals usernames and passwords and enables criminals to hack into the accounts and steal money. According to Woodward, the virus also commandeers the host computer to become part of a botnet—an army of so-called 'zombie' computers that have been programmed to forward on spam emails containing the malware. Dridex uses a peer-to-peer (P2P) method of transmission, whereby infected computers communicate with each other rather than a central control hub, making it difficult for law enforcement authorities to trace the virus back to its source.

How much has it stolen?

It is difficult to put a total figure on funds lost to Dridex. The NCA's estimate of 20 million pounds ($30.9 million) is "conservative," a NCA spokesperson told The Guardian. The FBI estimated that at least $10 million has been lost directly to the malware, but tech site ZDNet reported that Dridex has the software to infect computers in up to 27 countries, including France, Germany, India and China.

In its press release about the arrest of the Moldovan hacker, Andrey Ghinkul, the U.S. Department of Justice said that the malware had been used in December 2011 in a bid to steal $999,000 from a public school administrative body in Pennsylvania. The release also stated that Ghinkul and his co-hackers had successfully transferred a combined $3.59 million from Peneco Oil accounts in three separate transactions between August and September 2012 after obtaining the bank information via a phishing email sent to a Peneco employee.

Who is behind Dridex?

Ghinkul—who is also known as Smilex and is suspected of being one of the Dridex botnet administrators—is the only recorded arrest made in connection with Dridex so far. He was arrested in Cyprus in August and the U.S. is seeking his extradition.

The hackers behind Dridex are believed to be a group known as Evil Corp, according to Forbes. Evil Corp were linked to Gameover Zeus, a similar malware operation headed by hacker Evgeniy Mikhailovich Bogachev, who had a $3 million FBI bounty placed on his head in February, and that infected 1 million computers, stealing more than $100 million from individuals and businesses in the U.S. and elsewhere.

The NCA and FBI are now undertaking a so-called "sinkholing" operation, which Woodward describes as working with internet service providers (ISPs) to track the stolen data and stop infected machines communicating with the hackers' control center.

Who is Dridex targeting?

"Anybody with a bank account," Woodward says. The Europol cybercrime advisor says that while there have been attempts at major heists using Dridex—such as those detailed in Ghinkul's arrest statement—the malware thrives by stealing small amounts from many people. "If you have enough people infected, you only need to steal a couple of pounds from each person and suddenly you've made millions of pounds," Woodward says.

He adds that this little-and-often approach makes international cooperation between different crime-fighting agencies all the more important. "It's organizations like the NCA and Europol that see the big picture first, they start to see patterns develop. An individual bank or police force might be getting reports of fraud, but it might not look terribly important because they're relatively small sums," Woodward says.

How do I protect myself from Dridex?

The NCA has advised users to ensure that their machines are running up-to-date software and that they have adequate anti-virus software installed. British users should visit CyberStreetWise and GetSafeOnline to ensure their computers are secure and contact Action Fraud if they believe they may have been defrauded. The U.S. Computer Emergency Readiness Team (CERT) also advised users to change passwords regularly to reduce the chances of being hacked.

Users should not open attachments, particularly Microsoft Word and Excel files, from unrecognized or suspicious email addresses, and should disable macros or set them to request permission before running in Microsoft Office. According to Woodward, the advice can be summed up in three simple steps: "ABC: assume nothing, believe no one and check everything."