The US Department of Justice announced charges today against two Russian nationals behind the infamous Dridex malware.
The indictment names Maksim Yakubets and Igor Turashev as two of the developers behind the Dridex banking trojan, and specifically names Yakubets as the group’s leader.
In addition, the DOJ brought additional charges against Yakubets for also participating in the development and proliferation of the ZeuS banking trojan, a precursor of Dridex, active between 2007 and 2010.
US authorities said Yakubets used ZeuS to steal more than $70 million from victims; however, Yakubets’ main creation was Dridex and the cybercrime ecosystem it created around it — from which authorities said Yakubets made roughly $100 million.
Dridex was first spotted in 2011, a year after the ZeuS source code was leaked online by a competitor.
Initial versions of the Dridex malware were named Cridex, but as the malware evolved and was picked up by more and more cybersecurity firms, it became known as Dridex or Bugat, with the Dridex name becoming the most widely used.
The Dridex malware is still active even today.
Evil Corp – the world’s most harmful cyber crime group
The name Dridex was initially used to describe the banking trojan, a piece of malware that stole banking credentials from infected hosts by injecting fake bank login pages into people’s browsers.
However, the Dridex name was also used many times to describe a broad range of criminal activities that link back to the people behind the Dridex malware. This includes the Necurs spam botnet and the BitPaymer ransomware.
But while antivirus firms referred to the group as Dridex, they often called themselves Evil Corp.
The UK National Crime Agency, which was also involved in the investigation, said it began tracking Dridex — and Evil Corp circa 2014 — calling it “the world’s most harmful cyber crime group.”
The NCA claims that Yakubets employed dozens of people to run the various Evil Corp operations, often from the basements of Moscow cafes.
Similar to other hackers of his stature, Yakubets also liked to flaunt his illegally acquired wealth on social media, often posting images of expensive cars, piles of money, and glitzy social events.
According to US court documents, Yakubets and his co-conspirators operated and used the Dridex banking trojan themselves, but they also allowed others to spread the malware on their behalf, taking a “$100,000 initial fee and 50% of all revenues with a minimum of $50,000 a week.”
Money stolen from victims’ accounts was sent back to perpetrators using a network of money mules, which received stolen funds in their accounts, and then redirected the cash to Evil Corp members or their affiliates.
Furthermore, as the malware scene started to evolve from banking trojans towards ransomware, Evil Corp adapted as well. The DOJ claims that starting 2016, Yakubets’ gang modified the Dridex malware to help with the installation of ransomware.
The indictment specifically lists JWF Industry (metal manufacturer) a victim company that had its computers infected with ransomware deployed via the Dridex trojan.
The second suspect named in today’s indictment, Turashev, served as a Dridex developer. The DOJ said he allegedly handled a variety of responsibilities, including system administration, management of internal control panels, and oversight of the botnet operations.
The DOJ claims he also orchestrated spam operations and later also used Dridex to install ransomware on victims’ computers.
Yakubets and Turashev are still at large, and believed to reside in Moscow, Russia. The US is currently offering a $5 million reward for information that would lead to Yakubets’ arrest.
Besides the DOJ indictment, the US Treasury also imposed sanctions on 24 entities associated with Yakubets and Evil Corp, restricting access to the group’s assets and international financial systems.
In 2015, US and UK authorities arrested another member of the Dridex gang, a Moldavian named Andrey Ghinkul. At the time, authorities claimed Ghinkul was the Dridex administrator; however, the malware continued to operate and even increased its activity following his arrest.
Connections with Russian intelligence
In a live video conference today, US authorities also said that they believe that Yakubets has also been working with the Russian government since 2017.
They claimed that Yakubets has been helping Russian intelligence with the collection of sensitive information from computers that have been infected using the Dridex malware.
Asked by a reporter, US authorities confirmed that they sent a request for aid during the investigation to Russian law enforcement, who responded and helped “to a point.”
This is not the first time such a theory has been put forward by US authorities. They previously claimed that Evgeniy Mikhailovich Bogachev, the creator of the Gameover Zeus malware, had also helped Russian intelligence with the collection of sensitive documents from infected computers, prior to being charged in 2014. Yakubets, who went online under the moniker “Aqua,” was mentioned in Bogachev’s indictment.
Until today, Bogachev was the highest-ranked hacker on the FBI’s most-wanted cyber list, with a reward of $3 million for his arrest. Starting today, Yakubets stands atop this list.