An ongoing campaign using the BitPaymer ransomware has targeted at least 15 U.S. organizations in the last three months across the financial, agricultural, technology and government sectors, researchers said Thursday.
In an operation marked by meticulous planning, the hackers are phishing their targets with emails laced with the Dridex malware, another one of their staple tools, according to Israeli cybersecurity company Morphisec. After surveying the network, they deploy BitPaymer over a weekend, when employees are out. The ransomware spreads as people get back to work on Monday, Morphisec said.
Morphisec would not name any of the affected organizations, but CTO Michael Gorelik told CyberScoop that i has dealt directly with two of them. He declined to offer more details, and he would not elaborate on the “supply chain solution provider” that his company said was also attacked. On average, the organizations targeted had between 200 and 1,000 employees, Gorelik said.
The findings are the latest example of how a methodical set of crooks are using an insidious piece of malware. BitPaymer was reportedly introduced in August 2017 by a group dubbed Indrik Spider, one of many criminal outfits emanating from Eastern Europe that are in the ransomware business. Since then, BitPaymer has hit a number of organizations, including a suburb of Anchorage, Alaska, last year, forcing local officials to use typewriters after government systems were disrupted.
In the latest reported activity involving BitPaymer, the attackers are setting up “loaders,” which execute payloads, that are customized to the target just hours before deploying the ransomware, Morphisec said.
“The actors behind BitPaymer are very methodical, they have been known to spend as long as a month inside a victim network before deploying BitPaymer,” said Allan Liska, a threat intelligence analyst at Recorded Future. “When they do install the ransomware they install on multiple systems simultaneously in order to inflict maximum damage.”
The operators of BitPaymer appear to be at crossroads. Last week, cybersecurity company CrowdStrike said it had found a new variant that had been used in attacks on the City of Edcouch, Texas, and Chile’s agriculture ministry in June. Some members of Indrik Spider may have taken some of BitPaymer and Dridex’s source code and spun off their own operation, according to CrowdStrike analysts.