Dridex Malware Has Evolved To Locky Ransomware

This week, we hear the latest on the Philippines’ Elections Commission breached and Dridex Malware has evolved to steal sensitive data and deliver Locky Ransomware.

Malware

Dridex Malware has evolved to Locky Ransomware

IT Security professionals have most likely heard of Dridex malware, the malicious exploit kit that made headlines in 2014 as a part of a massive phishing campaign targeting online banking transactions. The Dridex malware has now evolved, and is now being used to steal banking and credit card information across the world. When it was first discovered in 2014, it was mostly targeting English-speaking countries like the UK, the US, and Australia but now it has been seen targeting companies in Latin America and Africa.

In addition to this expansion, researchers at Spanish security company Buguroo have discovered that Dridex is now delivering the Locky Ransomware to user’s computers, forcing them to pay ransoms between 0.5 and 1 Bitcoin to decrypt their files. Buguroo reviewed Dridex over just a 10-week period and discovered that attackers launched multiple campaigns and compromising over 1 million credit cards across the globe. Pablo de la Riva Ferrezuelo, CTO and co-founder of Buguroo, claims that Dridex, which was supposedly shut down in late 2015 after the arrest of a Moldovan national, is now in the hands of other malicious groups and users should be wary of any emails containing suspicious attachments.

References:  Dridex Malware Now Used For Stealing Payment Card Data | Dridex Banking Malware Now Delivering Bitcoin Ransomware | Dridex Banking Trojan Evolves Into Bitcoin Ransomware Distributor

Mitigation Strategies:

  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • IDS signatures would detect the intrusion and possible data leakage.
  • Log management could detect any suspicious user account activity. 

Breach

Philippines’ Elections Commission Breached

At the end of March, the Philippines’ Commission on Elections (COMELEC) website and database were breached by multiple groups and the information gathered, including Passport details and fingerprints, was released on the Internet. Initially after the breach COMELEC reported that only their website had been affected and most of the information that was leaked was public anyway, but further research last week shows that is not correct. Based on further investigation, the data dump includes 1.3 million records of overseas Filipino voters and another 15.8 million fingerprint records, as well as a list of people running for office since the 2010 elections.

An alarming fact about this breach is that the entire database of 55 million voters was accessed, which could potentially make this the largest government data breach ever. Every voter in the Philippines is now much more susceptible to identity and financial fraud, and COMELEC has not yet released how they plan to respond to the breach.

References: Attack on Philippines Election Commission Might Be The Largest Data Breach Ever | Huge data breach leaves details of 55 million Filipino voters exposed to hackers

Mitigation Strategies:

  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • IDS signatures would detect the intrusion and possible data leakage.
  • Log management could detect any suspicious user account activity. 

Top 20 IP Addresses

223.234.142.127 46.109.168.179
188.118.2.26 81.183.56.217
118.170.130.207 183.60.48.25
114.44.192.128 177.37.113.133
93.174.93.94 87.222.67.194
58.218.205.69 221.229.162.7
37.236.160.102 103.242.190.57
95.46.98.56 95.46.98.99
117.251.173.66 85.25.218.0/24
187.63.37.203 216.243.31.2

*IP addresses provided by Recorded Future.