February 18, 2020 By Limor Kessem 6 min read

The financial malware arena became a mainstream issue a little over a decade ago with the rise of malware like the Zeus Trojan, which at the time was the first commercial banking Trojan available to the cybercrime world.

We have come a long way since, and the past decade saw banking Trojans become increasingly sophisticated, specialized and exclusive, operated by elite cybercrime gangs hailing out of Eastern Europe. But these Trojans have not only improved their code level, their stealthy inner workings and their anti-security tool evasion. Rather, the human side of the organized crime gangs who wield these Trojans has grown in sophistication, malicious motivations and the variety of monetization schemes they tie themselves to.

A chart of the most active Trojan families in this category for 2019 looks rather similar to the one we produced in the 2018 annual roundup. The list features TrickBot at the top of the chart, followed by Gozi and Ramnit. All these Trojans are operated by organized groups that offer up varying business models to other cybercrime actors, such as botnet-as-a-service schemes and distribution through compromised assets they control.

Figure 1: Top banking Trojan families per 2019 activity (Source: IBM X-Force)

The gang operating TrickBot was by far the most active crimeware group in the cybercrime arena in 2019. This activity was expressed in various aspects, including:

  • Frequency of code updates and fixes (code, version and feature evolution)
  • Frequency and scale of infection campaigns
  • Frequency and volume of attack activity
Download the report

From Bank Fraud to Ransom — All in the Millions

Banking Trojans used to focus heavily on stealing money from corporate accounts, but that goal has since been diversified. A review of the 2019 financial crime landscape marks a clear trend for the top banking Trojan gangs: These malware botnets are no longer being used solely to steal data and rob bank accounts, they also open the door to targeted, high-stakes ransomware attacks.

These combined attacks have come to be known as “big game hunting” in the security industry, since they are not designed to target individual people, but rather go after companies of all sizes, specifically so attackers can ask for larger amounts of money in ransom.

Figure 2: Banking Trojans are used in a number of ways to infect and attack victimized organizations (Source: IBM X-Force)

The anatomy of such Trojan-facilitated ransomware attacks includes multi-stage malware infection that usually begins with well-established banking Trojan botnets, continues with the spreading of ransomware through enterprise networks and ends in the eventual encryption of data on as many devices as possible.

The end game is a demand for an exorbitant ransom payment, usually measured in millions of dollars.

Figure 3: Ryuk’s big game hunting attacks feature a multi-stage infection routine (Source: IBM X-Force)

Why are attackers using so many stages to infect users instead of a direct hit with ransomware? They are doing this to have better control of the attack, to evade controls and detection, and to be able to plant the seeds of a ransomware operation that encompasses enough devices to entice victims to pay. The return on their investment of patience and planning is big: Within the span of five months, Ryuk attacks amassed well over $3.7 million for their crime gang.

Over time, as the stakes grow higher, so do the ransom demands. In an attack on nursing homes in the U.S., Ryuk ransomware operators asked for a $14 million ransom to release their hold on patient data and other assets they encrypted.

The facilitation of the ransomware phase is elaborate and contrary to common banking Trojan attacks, which can be partly automated. The propagation of the ransomware is rather manual and requires hands-on work from the attackers.

Per IBM X-Force Incident Response and Intelligence Services (IRIS), modular Trojans and some common tools paved the way in attacks we analyzed in 2019. For example, these are some of the components used in a Ryuk attack:

  • Emotet
  • TrickBot
  • PowerShell Empire
  • PowerSploit
  • CobaltStrike
  • Bloodhound

Figure 4: Big game hunting attacks feature various tools, each for a different part of the overall scheme (Source: IBM X-Force)

The Usual Suspects

Gangs that made headlines with high-stakes ransomware attacks in 2019 were also those who introduced high-stakes wire fraud attacks to the cybercrime arena in 2015. In a sense, the overarching strategy is the same, only the tactics are modified over time: target businesses for a bigger bounty.

The top examples of banking Trojans diversifying to ransomware include:

  • Dridex — Used to spread LokiBot to user devices, now deploys BitPaymer/DoppelPaymer on enterprise networks
  • GootKit — Suspected deployer of LockerGoga on enterprise networks. LockerGoga emerged in early 2019 and has since been part of crippling attacks on businesses
  • QakBot — Suspected deployer of MegaCortex on enterprise networks
  • TrickBot — Suspected deployer of Ryuk on enterprise networks

Additionally, reports from late 2019 indicate that the ITG08 (aka FIN6) group, which has historically been focused on mass theft of payment card data, has been diversifying its tactics, techniques and procedures (TTPs) as well. It now aims to include deployment of ransomware on enterprise networks. Accumulating, then selling or using stolen card data, can take time and effort in monetization, whereas a ransomware attack has the potential to net millions in one fell swoop, luring more gangs to take on the ransomware and cyber extortion route.

The Magnitude of Attacks

Measuring the illicit profits of ransomware gangs can be a challenging task. These groups demand to be paid in bitcoin, use cybercrime-approved cryptocurrency blenders — which split and move coins through numerous cryptocurrency wallets, usually over Tor connection, to prevent blockchain analysis from being able to track coins back to their originator or recipient — and rely on a network of money laundering rings to hide their bottom lines.

One way to gauge the scale is to look at headlines from organizations that publicize the attack’s details, or information from law enforcement who receive official complaints from affected parties.

  • July 2019 — A Ryuk attack on the city of New Bedford, Massachusetts, demanded $5.3 million to decrypt data. The city declined to pay. Ryuk is linked with the TrickBot Trojan gang.
  • August 2019 — A community hospital hit by an unnamed ransomware strain took the FBI’s advice and refused to pay the $1 million ransom demand.
  • August 2019 — Simultaneous ransomware attacks on 22 Texas state government municipalities reportedly demanded a $2.5 million payout to unlock infected systems.
  • October 2019 — Ryuk hit hospitals in the U.S., who unfortunately had to pay an undisclosed ransom to the attackers to restore systems quickly.
  • November 2019 — A Mexican national oil company, Pemex, refused to pay a ransom of $5 million to attackers who infected its corporate networks. Pemex was infected by the DoppelPaymer ransomware, a strain that shares most of its code with the BitPaymer ransomware that’s known to be affiliated with Dridex.
  • November 2019 — Ryuk hit a tech provider of nursing homes in the U.S., demanding $14 million in bitcoin to restore access to data.
  • November 2019 — Prosegur, a Spanish multinational cash logistics and private security company, was hit by a Ryuk attack. The company took its IT systems offline, but did not disclose the ransom amount.

The list goes on, as do attacks and ransom demands, which apparently are set up according to the perceived ability of the victimized organization to pay up. These examples focus on groups that are linked with banking Trojans, and do not encompass the full gamut of organized gangs that use ransomware as a way to extort organizations.

Ransom for Ransom — $5 Million Bounty Announced for ‘Evil Corp’ Chief

This high-stakes, high-value activity from major cybercrime gangs draws a lot of attention from law enforcement. In December 2019, a public announcement surfaced with a bounty of $5 million placed on the heads of ‘Evil Corp’ masterminds, Maksim Yakubets of Moscow and Igor Turashev from Yoshkar-Ola, Russia. The two have been charged with developing and spreading the Dridex banking Trojan. In a press release from December 5, 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) called Evil Corp “one of the world’s most prolific cybercriminal organizations” and “one of the main financial threats faced by businesses.”

To combat the threat of banking Trojans and ransomware, organizations should stay up to date with the rapidly evolving threat landscape by utilizing the latest threat intelligence. Companies should also ensure the security of users’ identities on company networks and across the internet.

Download the latest X-Force Threat Intelligence Index

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today