Security Experts:

Connect with us

Hi, what are you looking for?



Dridex Authors Build New Ransomware

The authors of the infamous Dridex banking Trojan have created a sophisticated ransomware family, ESET warns.

The authors of the infamous Dridex banking Trojan have created a sophisticated ransomware family, ESET warns.

Around since 2014, Dridex has been one of the most prolific financial threats over the past several years, and the actors behind it have been constantly adopting new techniques, improving their malware, and changing resources to ensure increased efficiency.

Thus, it did not come too much as a surprise when the Locky ransomware was tied to Dridex two years ago, when ransomware was booming. Locky became a top threat fast, catching a lot of attention from the security community as well, and its developers attempted alternatives such as Bart in 2016 and Jaff in May 2017.

Now, security researchers have tied yet another ransomware family to the Dridex authors, namely FriedEx, which is also known as BitPaymer.< /span>

This ransomware was initially discovered in July 2017 and made it to the headlines in August, when it infected NHS hospitals in Scotland.

Mainly focused on high profile targets and companies rather than end users, the malware is typically delivered via Remote Desktop Protocol (RDP) brute force attacks. Once it has managed to infect a system, the malware encrypts each file on it with a randomly generated RC4 key (which it then encrypts using a hardcoded 1024-bit RSA public key and saves it in a .readme_txt file).

While analyzing FriedEx, ESET discovered that it features code resemblance to Dridex. The ransomware also uses the same techniques as the banking Trojan, hiding as much information about its behavior as possible.

The malware “resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc. The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis,” ESET explains.

The researchers discovered that the very same part of a function used for generating UserID that is present across all Dridex binaries can be found in the FriedEx binaries as well. The order of the functions in the binaries is the same in both malware families, which suggests they use the same codebase or static library.

Both Dridex and FriedEx use the same malware packer, but that is not proof that they are connected, since other well-known families like QBot, Emotet or Ursnif also use it.

ESET also discovered that samples of both Dridex and FriedEx include PDB (Program Database) paths, which revealed that their binaries are being built in the same, distinctively named directory. The binaries of both Dridex and FriedEx are compiled in Visual Studio 2015.

Some binaries for both projects revealed the same date of compilation, and the researchers say this isn’t coincidence. The samples have time differences of several minutes at most and feature identical randomly generated constants (these constants change with each compilation to hinder analysis), which suggests they were probably built during the same compilation session.

“With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers. This discovery gives us a better picture of the group’s activities – we can see that the group continues to be active and not only consistently updates their banking Trojan to maintain its webinject support for the latest versions of Chrome and to introduce new features like Atom Bombing, but that it also follows the latest malware “trends”, creating their own ransomware,” ESET says.

Related: Dridex Campaign Abuses FTP Servers

Related: Survival of the Fittest: Why Locky Ransomware is Back

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...