Security Experts:

Connect with us

Hi, what are you looking for?



Dridex Still Active After Takedown Attempt

Law enforcement authorities in the U.S. and Europe, and several private security firms have launched an operation aimed at the Dridex botnet, but the threat still appears to be active.

Law enforcement authorities in the U.S. and Europe, and several private security firms have launched an operation aimed at the Dridex botnet, but the threat still appears to be active.

Dridex, a successor of the Cridex Trojan, is said to have caused losses totaling $40 million in the United States and the United Kingdom after helping cybercriminals steal personal and financial information from users.

Dell SecureWorks, one of the security firms involved in the takedown operation, reported last week that each Dridex sub-botnet’s peer-to-peer (P2P) network was poisoned and infected systems were redirected to a sinkhole. Additionally, the FBI announced the arrest of a Dridex botnet administrator, 30-year-old Moldovan national Andrey Ghinkul, and charges brought against several other suspects.

Despite the takedown effort, Dridex is still active. Less than 48 hours after law enforcement authorities announced disrupting the botnet, Proofpoint researchers spotted a spam run distributing Dridex, mainly aimed at users in the United Kingdom.

Kevin Epstein, VP of Threat Operations at Proofpoint, told SecurityWeek that the variant distributed in this email campaign communicated with the sub-botnet dubbed “220,” which according to Dell SecureWorks, contained roughly 4,000 active bots, mostly located in Western Europe (France, U.K.).

“The initial campaign was significantly smaller than campaigns of the last weeks — only about 10% of their size — potentially indicating that attackers are still testing the stability of their control over that C&C network,” Epstein explained.

“It’s not clear Dridex ever ‘left’. While there was what appears to have been a brief disruption in the ‘220’ command and control network, it does not appear that the email distribution (phish-sending) botnet was impacted, nor other C&C networks, nor the Dridex malware itself,” Epstein added. “Since Dridex has been a successful tool for attackers to steal credentials for banking, CRM, supply chain, and intellectual property repositories, it seems likely that attackers will keep using it.”

However, Dr. Brett Stone-Gross, senior security researcher with the Dell SecureWorks Counter Threat Unit, said that the entire botnet was sinkholed and the criminal infrastructure was taken down.

“A new Dridex botnet was recreated from scratch which took the criminal operators more than 3 weeks and so far only one affiliate is active,” Stone-Gross, who headed his company’s participation in the Dridex botnet takeover, told SecurityWeek. “This botnet is likely to be very small right now. It is not ‘back with a vengeance’ as some have claimed.”

According to Stone-Gross, the operation against Dridex, both its infrastructure and the people behind the threat, will continue. The expert highlighted that one key player was already arrested and several others were indicted under their real name.

“These operations go after the source of the problem (the people behind the malware) rather than throwing huge amounts of money in trying to reactively defend against the attacks,” Stone-Gross said.

Moreover, Dridex has never actually rivaled the now defunct Gameover Zeus botnet in terms of size and success, the researcher noted.

Frank Ruiz, threat intelligence analyst at Fox IT, another company involved in the operation against Dridex, pointed out that while this was a major first step in the right direction, there is still a lot of work to be done.

Ruiz noted that Ghinkul, also known as “Smilex,” was working with an individual using the online moniker “Caramba,” who is also named in FBI documents. The two paid “Evil Corp,” the organization that writes and maintains Dridex, for access to the botnet, but there are a large number of other people involved in Dridex.

The expert told SecurityWeek that one of the sub-botnets, run by an actor not targeted in the latest law enforcement operation, only had minor interruptions. Another Dridex sub-botnet was seen resurfacing on Friday.

“Historically, successful neutralization of parts of the malware ecosystem can be highly effective. For example, after the arrest of ‘Paunch’, creator of the ‘Blackhole’ exploit kit, use of the kit declined precipitously — and both the gameoverzeus and zeroaccess botnet actions by authorities resulted in significant disruptions to those criminal enterprises. That said, the crimeware market operates efficiently, and if a need exists or gap is created, history has shown that others will step in to fill the gap,” Epstein said. “That said, this situation certainly disrupted a portion of the Dridex operation, but doesn’t appear to have created a long-term cessation in activity.”


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...