Security Advisor

'Dyre Wolf' Malware Steals Millions from Enterprises

Researchers at IBM have discovered an active attack campaign using a variation of the Dyre Trojan that has already stolen millions from organizations.

According to IBM, the campaign has used both malware and social engineering techniques to circumvent two-factor authentication security features of targeted enterprises. While the identities of those responsible are unknown, IBM Senior Threat Researcher John Kuhn said the group is well organized and talented.

"In this campaign, the attackers are several steps ahead of everyone," wrote Kuhn. "Even while casting a wide net to reel in victims via spear-phishing campaigns, these attackers are targeting organizations that frequently conduct wire transfers with large sums of money. It's also important to note that the majority of antivirus tools frequently used as an organization’s first line of defense did not detect this malware."

Kuhn said that those behind the Dyre Wolf malware are using spear phishing techniques in e-mails targeted at those inside specific enterprises for the initial infection. Once inside, the ring has been able to transfer between $500,000 and $1.5 million from victims. According to the report, all recent targets appear to be located outside the U.S. and have focused on organizations that regularly engage in large transactions.

While the variant of the Dyre Trojan appears to be new, IBM researchers have been following the root malware since its discovery in June of 2014. Since appearing on the scene, it has been used to attack high-profile targets including Citigroup, JPMorgan Chase and Bank of America. Its popularity among attackers has also exploded, with the infection rate increasing from 500 in June of last year to 3,500 by October.

IBM suggests that the best way to protect organizations from the Dyre Wolf and other variations is to increase user training and advise workers on safe online practices. However, Richard Blech, CEO of security firm Secure Channels, said that responsibility of avoiding this attack shouldn't only lie with end users.

"If the definition of technology is the application of scientific knowledge for practical purposes, especially in industry, why are we blaming the user for not knowing enough? Technology leaders need to stop blaming the user for inadequacies and 'needing training,'" said Blech in an e-mailed comment. "Our duty in the technology industry is to provide options for the user, based on innovation not blame.

Blech recommends that organizations increase their multi-factor authentication security with "... tokenized Identity using binary and biometrics resources which avoid outdated, easily hacked, and easily forgotten alphanumeric passwords of yesterday."

About the Author

Chris Paoli is the site producer for and


  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.