We will no doubt shortly see some official word on the 'takedown' of Dridex and/or Locky, it has been widely reported that the lack of daily spam campaigns indicates its disappearance is linked to the FSB operation. Its widely known that the FSB only get involved in cyber criminal activity when there is significant international pressure to investigate.
It's difficult not to draw logical conclusions on the timings of the two operations and subsequent disappearance of Dridex/Locky but its unlikely that Russia would be directly involved in a 'takedown' operation of a significant botnet which was responsible for the theft of money from banking institutions.
FSB & MIA worked with Sberbank to conduct this operation and the reports from Russian intelligence indicate around 2.2 billion rubles where lost between October 2015 to March 2016 which ironically is the same time of the Smilex arrest who at the time was in Cyprus, originally from Moldova.
- Vawtrak = Banking Trojan AKA Neverquest
- Hancitor = Dropper, usually by a Macro
- H1N1 = Loader, with UAC bypass (With some additional checks for GetCurrentProcess, and a nice crash) - Thanks to the genius' on KernelMode
Identifying Hancitor was done by post infection in my lab - Thanks to Matt as ever.