In a blog post, ESET security researcher Michael Poslušný said that the new trojan, christened FriedEx (aka BitPaymer because of the text in the ransom) shared many similarities in its code with Dridex.
FriedEx was initially discovered in July 2017 by a security researcher known as Michael Gillespie. It gained prominence the following month when it infected a number of NHS hospitals in Scotland.
Poslušný said FriedEx was typically delivered by a brute force attack using the Windows Remote Desktop Protocol.
"Intrigued by the initial findings, we dug deep into the FriedEx samples, and found out that FriedEx uses the same techniques as Dridex to hide as much information about its behaviour as possible."
Poslušný said FriedEx resolved all system API calls on the fly by searching for them by hash, stored all strings in encrypted form, and looked up registry keys and values by hash.
"The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis," he noted.
Given the way the authors of Dridex had evolved their creation,Poslušný said it was logical to assume that they would not be going away any time soon.
"We can see that the group continues to be active and not only consistently updates their banking trojan to maintain its webinject support for the latest versions of Chrome and to introduce new features like Atom Bombing, but that it also follows the latest malware 'trends', creating their own ransomware," he said.
Nick FitzGerald, senior research fellow at ESET, said: "We have very limited detection data for this threat, as it seems that it is mainly installed through RDP compromise (Remote Desktop Protocol – the native Windows remote control/remote assistance program).
"What happens in such attacks is that the attackers brute-force account credentials of poorly-protected RDP hosts exposed to the Internet. Such poorly-secured systems tend to be run by less-security-aware folk, so there is a higher chance of gaining access to a privileged account (administrator, domain administrator)."
He said there was also a suggestion that FriedEx was targeted at companies the attackers thought were more likely to be able to pay a bigger ransom than that demanded of the victims of more typical ransomware (ransom demands in the 20-50 bitcoin range have been seen – at current exchange rates of approximtaley US$12,000, that is about a quarter of a million dollars to more than half a million US$).
"Also, once the FriedEx attackers gain access to a computer inside a target network the attackers will try to move laterally, to compromise further computers within the network in attempts to gain higher privileges if the initial point of compromise does not provide access to such an account," FitzGerald said. "Eventually, after possibly compromising many computers, or obtaining domain-wide credentials, they execute the ransomware on multiple computers across the network."
He said in such an attack, once the attacker obtained sufficiently elevated privileges, they could disable security products and take other steps to hamper their detection.
"It is very common in such cases that the attackers disable endpoint and server protection products just before running the ransomware."