On Feb. 6, 2016, Reuters broke an exclusive story about what appears to be a law enforcement raid that may have ended the activity of the cybercrime gang operating the Dyre banking Trojan. The story was followed up by a Forbes article with hints about arrests in the top echelon of the Dyre crew and a possibility that the malware’s source code was leaked.

Reuters reports that a police raid took place in November 2015 in a downtown Moscow high-rise. The operation reportedly took place inside the offices of a film distribution and production company called 25th Floor, which is, ironically, in the midst of producing a movie called “Botnet,” loosely based on a 2010 cybercrime case.

Who executed the raid? 25th Floor’s CEO declined to comment on the case. A spokesman for the Russian Interior Ministry’s cybercrime unit denied involvement in the case. And the FSB, Russia’s main intelligence service, had no comment to offer reporters. The investigation was apparently aided by Moscow-based Kaspersky Lab; the security vendor reportedly plans to unveil details about the case in an annual user conference this week.

In the interim, security professionals and past victims of the gang operating the Dyre Trojan await news on what seems to be the genuine disruption of a major organized cybercrime ring that has robbed financial institutions of millions of dollars in the past two years.

Learn more about Staying ahead of threats with global threat intelligence

Gone Since November?

As details of the investigation aren’t yet public, here’s what we know about Dyre’s current status based on IBM Security insights gleaned from across the globe.

IBM X-Force researchers indicate that Dyre, which has been a constantly evolving threat, fell silent in November 2015. According to IBM Trusteer, malware infection rates dropped sharply in mid-November, with new user infections appearing in the single digits per day at most.

Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration update servers and its real time webinjection server were both disconnected from the Internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark.

Figure 1: Dyre attacks declined, then fell flat in late November 2015. (Source: IBM Trusteer)

It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November.

What’s Next for Dyre?

Dyre is considered one of the most advanced banking Trojans active in the wild today. Beyond the technical level of its attacks, Dyre is prolific in different parts of the globe and has made its mark as the most active Trojan family in 2015, according to IBM Trusteer data.

If the gang operating Dyre has indeed been apprehended in Russia, the event will go down as one of the most significant cybercrime busts in history. More than its magnitude in terms of the fraud losses that will be spared, it will be one of the most noteworthy operations carried out against cybercrime on Russian soil by Russian authorities.

In the past two years, Dyre has been used at the hands of its malevolent owners to defraud banks and their customers of many millions of dollars since its emergence in 2014. In early 2015, Dyre was involved in multiple Dyre Wolf cases, robbing companies of sums that ranged from $500,000 to $1.5 million each. In May 2015, Dyre was implicated in the theft of $5.5 million from Irish budget airline Ryanair.

A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks, especially in the U.K., the U.S., Australia, Spain and other parts of Europe. But Dyre’s absence will also give a bigger market share to other malware like Dridex, for example, which, according to IBM X-Force researchers, has been enhancing its attack methods to match Dyre’s and focusing on high-value business and corporate accounts in the U.K. and the U.S., which closely resembles Dyre’s path through the year before the raid.

Rumors of a possible Dyre source code leak remain unconfirmed.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read