The Growing Threat of BitPaymer Ransomware

Growing Threat of BitPaymer Ransomware

Ransomware hit a decline last year in 2018 but made a comeback in 2019. This time hitting companies harder with a more targeted approach.

Ransomware is essentially a tool used by malicious actors to extort large sums of money from companies in exchange for their decrypted data. One strain of ransomware increasingly used by actors is BitPaymer ransomware. This variant of ransomware is quite unique because attackers are able to cover their tracks with an organization’s network.

To begin the attack, BitPaymer first enters the network through phishing emails. These emails are hidden with Dridex, a data and credential-stealing malware by the known threat actor called Evil Corp. Once on the network, Active Directory credentials are stolen, and recon of the network begins.

One sample of BitPaymer, uses alternate data streams (ADS) to disguise itself from security software that may be deployed. ADS is used by Windows to store additional data in a main stream, like date or time a file was downloaded. By using ADS, according to Anand Ajjan, SophosLabs researcher:

“ADS adds more stealth.  When a process is launched and does something malicious, there are no files backing the process except alternate data streams.”

BitPaymer copies itself to the APPDATA directory under a random filename and then hides the file. Then the attacker sets autorun entry in the registry, this means that even if the victim reboots the computer the hidden copy will relaunch. Third, BitPaymer creates a copy of itself from an ADS called :exe to a new file. This copy is then used to obtain a list of all network shares. Further, this process of creating a hidden copy and then a copy of the copy from the ADS is followed once more. However, this time the malware encrypts all the data on the network.

To further complicate things, a new framework of the malware allows the threat actor to create and deploy a custom loader for the malware just hours before encryption begins. By creating new loaders for each target, detection of the malware becomes even harder, especially for signature-based detection tools.

Additionally, the malware is fitted with lots of junk code, to make detection harder. Other functions of the malware include bypassing User Account Control settings to gain elevated privileges to delete shadow copy files. This deletion makes recovery of data much more difficult.

In another tactic, the malware looks for a dummy file called: “C:\\aaa_TouchMeNot.txt”, used by the Windows Defender AV Emulator environment. If this file is located, the malware stops execution, making the emulator believe the malware is harmless. However, when run in the real environment, the malware begins working.


Contact LIFARS for Ransomware Response Services Today