The financial malware arena became a mainstream issue a little over a decade ago with the rise of malware like the Zeus Trojan, which at the time was the first commercial banking Trojan available to the cybercrime world.

We have come a long way since, and the past decade saw banking Trojans become increasingly sophisticated, specialized and exclusive, operated by elite cybercrime gangs hailing out of Eastern Europe. But these Trojans have not only improved their code level, their stealthy inner workings and their anti-security tool evasion. Rather, the human side of the organized crime gangs who wield these Trojans has grown in sophistication, malicious motivations and the variety of monetization schemes they tie themselves to.

A chart of the most active Trojan families in this category for 2019 looks rather similar to the one we produced in the 2018 annual roundup. The list features TrickBot at the top of the chart, followed by Gozi and Ramnit. All these Trojans are operated by organized groups that offer up varying business models to other cybercrime actors, such as botnet-as-a-service schemes and distribution through compromised assets they control.

Figure 1: Top banking Trojan families per 2019 activity (Source: IBM X-Force)

The gang operating TrickBot was by far the most active crimeware group in the cybercrime arena in 2019. This activity was expressed in various aspects, including:

• Frequency of code updates and fixes (code, version and feature evolution)
• Frequency and scale of infection campaigns
• Frequency and volume of attack activity

From Bank Fraud to Ransom — All in the Millions

Banking Trojans used to focus heavily on stealing money from corporate accounts, but that goal has since been diversified. A review of the 2019 financial crime landscape marks a clear trend for the top banking Trojan gangs: These malware botnets are no longer being used solely to steal data and rob bank accounts, they also open the door to targeted, high-stakes ransomware attacks.

These combined attacks have come to be known as “big game hunting” in the security industry, since they are not designed to target individual people, but rather go after companies of all sizes, specifically so attackers can ask for larger amounts of money in ransom.

Figure 2: Banking Trojans are used in a number of ways to infect and attack victimized organizations (Source: IBM X-Force)

The anatomy of such Trojan-facilitated ransomware attacks includes multi-stage malware infection that usually begins with well-established banking Trojan botnets, continues with the spreading of ransomware through enterprise networks and ends in the eventual encryption of data on as many devices as possible.

The end game is a demand for an exorbitant ransom payment, usually measured in millions of dollars.

Figure 3: Ryuk’s big game hunting attacks feature a multi-stage infection routine (Source: IBM X-Force)

Why are attackers using so many stages to infect users instead of a direct hit with ransomware? They are doing this to have better control of the attack, to evade controls and detection, and to be able to plant the seeds of a ransomware operation that encompasses enough devices to entice victims to pay. The return on their investment of patience and planning is big: Within the span of five months, Ryuk attacks amassed well over $3.7 million for their crime gang.

Over time, as the stakes grow higher, so do the ransom demands. In an attack on nursing homes in the U.S., Ryuk ransomware operators asked for a $14 million ransom to release their hold on patient data and other assets they encrypted.

The facilitation of the ransomware phase is elaborate and contrary to common banking Trojan attacks, which can be partly automated. The propagation of the ransomware is rather manual and requires hands-on work from the attackers.

Per IBM X-Force Incident Response and Intelligence Services (IRIS), modular Trojans and some common tools paved the way in attacks we analyzed in 2019. For example, these are some of the components used in a Ryuk attack:

• Emotet
• TrickBot
• PowerShell Empire
• PowerSploit
• CobaltStrike
• Bloodhound

Figure 4: Big game hunting attacks feature various tools, each for a different part of the overall scheme (Source: IBM X-Force)

The Usual Suspects

Gangs that made headlines with high-stakes ransomware attacks in 2019 were also those who introduced high-stakes wire fraud attacks to the cybercrime arena in 2015. In a sense, the overarching strategy is the same, only the tactics are modified over time: target businesses for a bigger bounty.

The top examples of banking Trojans diversifying to ransomware include:

• Dridex — Used to spread LokiBot to user devices, now deploys BitPaymer/DoppelPaymer on enterprise networks
• GootKit — Suspected deployer of LockerGoga on enterprise networks. LockerGoga emerged in early 2019 and has since been part of crippling attacks on businesses
• QakBot — Suspected deployer of MegaCortex on enterprise networks
• TrickBot — Suspected deployer of Ryuk on enterprise networks

Additionally, reports from late 2019 indicate that the ITG08 (aka FIN6) group, which has historically been focused on mass theft of payment card data, has been diversifying its tactics, techniques and procedures (TTPs) as well. It now aims to include deployment of ransomware on enterprise networks. Accumulating, then selling or using stolen card data, can take time and effort in monetization, whereas a ransomware attack has the potential to net millions in one fell swoop, luring more gangs to take on the ransomware and cyber extortion route.

The Magnitude of Attacks

Measuring the illicit profits of ransomware gangs can be a challenging task. These groups demand to be paid in bitcoin, use cybercrime-approved cryptocurrency blenders — which split and move coins through numerous cryptocurrency wallets, usually over Tor connection, to prevent blockchain analysis from being able to track coins back to their originator or recipient — and rely on a network of money laundering rings to hide their bottom lines.

One way to gauge the scale is to look at headlines from organizations that publicize the attack’s details, or information from law enforcement who receive official complaints from affected parties.

• July 2019 — A Ryuk attack on the city of New Bedford, Massachusetts, demanded $5.3 million to decrypt data. The city declined to pay. Ryuk is linked with the TrickBot Trojan gang.
• August 2019 — A community hospital hit by an unnamed ransomware strain took the FBI’s advice and refused to pay the $1 million ransom demand.
• August 2019 — Simultaneous ransomware attacks on 22 Texas state government municipalities reportedly demanded a $2.5 million payout to unlock infected systems.
• October 2019 — Ryuk hit hospitals in the U.S., who unfortunately had to pay an undisclosed ransom to the attackers to restore systems quickly.
• November 2019 — A Mexican national oil company, Pemex, refused to pay a ransom of $5 million to attackers who infected its corporate networks. Pemex was infected by the DoppelPaymer ransomware, a strain that shares most of its code with the BitPaymer ransomware that’s known to be affiliated with Dridex.
• November 2019 — Ryuk hit a tech provider of nursing homes in the U.S., demanding $14 million in bitcoin to restore access to data.
• November 2019 — Prosegur, a Spanish multinational cash logistics and private security company, was hit by a Ryuk attack. The company took its IT systems offline, but did not disclose the ransom amount.

The list goes on, as do attacks and ransom demands, which apparently are set up according to the perceived ability of the victimized organization to pay up. These examples focus on groups that are linked with banking Trojans, and do not encompass the full gamut of organized gangs that use ransomware as a way to extort organizations.

Ransom for Ransom — $5 Million Bounty Announced for ‘Evil Corp’ Chief

This high-stakes, high-value activity from major cybercrime gangs draws a lot of attention from law enforcement. In December 2019, a public announcement surfaced with a bounty of $5 million placed on the heads of ‘Evil Corp’ masterminds, Maksim Yakubets of Moscow and Igor Turashev from Yoshkar-Ola, Russia. The two have been charged with developing and spreading the Dridex banking Trojan. In a press release from December 5, 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) called Evil Corp “one of the world’s most prolific cybercriminal organizations” and “one of the main financial threats faced by businesses.”

To combat the threat of banking Trojans and ransomware, organizations should stay up to date with the rapidly evolving threat landscape by utilizing the latest threat intelligence. Companies should also ensure the security of users’ identities on company networks and across the internet.