From Dridex to BitPaymer Ransomware to DoppelPaymer……The Evolution

From Dridex to BitPaymer Ransomware to DoppelPaymer……The Evolution

Evil Corp, also known as INDRIK SPIDER and TA505, released BitPaymer ransomware in 2017, after hitting some obstacles with Dridex. It is believed, that Dridex was increasingly causing the group many problems and the group decided to change their methodologies. U.K law enforcement was after the money laundering group and was operating to dismantle the network. Soon, law enforcement arrested an affiliate of the group, Smilex, and arrested a banker who was set up fake accounts for the group.

After slowly decreasing the number of Dridex distributions, the malicious group released BitPaymer ransomware. This campaign uses unique mythologies and leverages Dridex to implants the malware in the BitPaymer infection stage; this was unlike anything seen before. BitPaymer like many nation-state threat actors uses lateral movement techniques to move deeper into the victim’s network. The largest BitPaymer campaign seen in the United States targeted about 15 organizations since November 2018. Any small to middle-sized organization is a target, this includes industries like finance, agriculture, and technology. Numerous organizations were targeted in just this past 2019 summer.

The Delivery

The initial delivery process of the attack stays pretty consist even as the ransomware changes methodologies. Phishing tactics are used to persuade the user to open an attachment or to click on something. BitPaymer can be spread through phishing emails and once the link or the attachment is opened, Dridex downloads on the machine. Recent attacks have shown that a fake update for a FlashPlayer plugin or Chrome, convince users into downloading and running the malicious application. These fake updates usually appear on legitimate websites that have been compromised and serve as pay-per-install services to deliver the malware.

Dridex is used to penetrate the network and obtain persistence within. A full reconnaissance of the network is executed collecting things like Active Directory (AD) credentials, collecting information om users, creating a list of all computers on the network. During the initial compromise PowerShell Empire, a tool used for penetration testing, is used for lateral movement within the network. During the movement between each host, PowerShell Empire installs a Dridex loader. As this lateral movement continues, Mimikatz is deployed on the servers. Mimikatz is a tool used to collect credentials from Windows hosts. After collecting credentials, the malware moves deeper in the network, until domain credentials are obtained. Finally, the Dridex loader is installed on the domain controllers.

Sometimes the threat actors can take weeks or months after the domain controllers are compromised before deploying the ransomware on the network. Then usually on the weekend or during the holidays, the ransomware is distributed. Attacking when no employees are around, allows the ransomware enough time to hit servers and as employees return to work the ransomware spread across the environment.

BitPaymer Execution

wp_encrypt (BitPaymer Loader)

The reconnaissance gathers great details about the victim’s environment, and this allows the ransomware to create highly targeted attacks that can bypass advanced EDR solutions. LIFARS has observed that threat actors build and obfuscate a fully custom loader for deployment. The unique loader is compiled just 2-3 hours before BitPaymer is deployed, making it highly difficult for EDRs to detect.


The second step of the payload checks the OS version of each host, before decryption. If the host OS versions were released after VISTA the second step will begin. It is important to note, that sometimes with older Windows servers the second phase of the payload may be executed. Once execution begins, BitPaymer checks for the aaa_TouchMeNot.txt file. If the file exists, it means that the Windows Defender AV Emulator has a goat file. The presence of the goat file means that the host is used for virus testing, therefore, BitPaymer will stop the execution. LIFARS has in the past used this file as a killswitch on a client network. It was able to stop the execution of the malware; however, this may not always work.

aaa_ToucMeNot.txt is not present

aaa_TouchMeNot.txt is not present



aaa_TouchMeNot.txt is present

aaa_TouchMeNot.txt is present



Once execution of the malware begins, initialization of configuration settings, like decryption type and process integrity level are completed. During this time, ransom note, public key, file extensions, all other strings are decrypted.

Alternate Data Streams

BitPaymer comes up with new ways to disguise itself from security software deployed on the network. One sample of BitPaymer, uses alternate data streams or ADS to do just this. ADS is usually used by Windows to store additional data in a mainstream, such as date or time. First, after initialization the malware checks for ADS streams. In some instances, to do this the malware looks for files ending with :. If : does not exist, BitPaymer leverages this and copies itself to the APPDATA directory under a ransom filename, %APPDATA%\<random_name>:BIN, and makes the file hidden. The malware then sets autorun entry in the registry. This way even if the computer is rebooted, BitPaymer will launch.

Further, from the ADS the malware creates a copy of itself, called :exe to a random empty file. This file is then used to run the Net View command to get a list of all network shares. After, another copy of the APPDATA directory is created, and a copy of this copy is created in a random empty file; this is also called :exe. This time the copy is used to jumble the disk and network shares.

This techniques of creating copies and then copies of copies allows the malware evade detection more than usual. Further, these copies can delete the initial malware file once executed their assigned task.

Privilege Escalation

BitPaymer uses a Fileless UAC bypass to elevate privileges between the network. First, the malware tries to change the default open for .msc files. The .msc files by default are opened using the Microsoft Management Console (MMC) tool using admin privileges. Using normal user credentials, the eventviewer is launched using .msc snap in the mmc console. This time the malware uses the HKCR\mscfile\shell\open\command command to point to the .cmd file. Thus, allowing the malware to execute with high privileges without using the Fileless UAC bypass.

During this phase, the commands vssadmin.exe Delete Shadows /All /Quiet and diskshadow.exe /s %TEMP%\<tempfile>.tmp’ (<tempfile>.tmp = “delete shadows all\r\nexit\r\n”) are run to delete shadow copies from the infected machine.

Further, the malware uses the commands takeown.exe /F <service_name> and icacls.exe <service_name> /reset to take control of a random service. This allows the malware to replace the service its own copy and then deploys BitPaymer as a service. Of course, the threat actors did think of saving a copy of the service in an ADS before replacing it.

As the BitPaymer as a service begins to run, the encryption process can begin. The malware begins encryption with the logical drives, network drives, and then moves on to each file in the drivers. RC4 and RSA-1024 encryption algorithms are used to encrypt the files. The encrypted files are then given the extension .locked

The BitPaymer Ransomware Note

Like the campaign, the ransom has been evolving too. When BitPaymer was first distributed the ransom note, along with the ransom demand, included a URL to a TOR-based payment portal. When the link was clicked, the portal displayed the Bitcoin wallet and a contact email address. However, within a month of its release, the ransom not no longer displayed the ransom amount. After about a year, the payment portal URL was also removed, and the ransom note concluded just two contact email addresses. Further, after November 2018, the ransom note became highly customized for the victim, included a customized ransom note, based on the company size and revenue, it displays the victim’s name, and displays unique contact information each time.


Example of BitPaymer Ransom Note Credit: Morphisec

Example of BitPaymer Ransom Note Credit: Morphisec


The third Evolution…DoppelPaymer

DoppelPaymer was first seen in the wild in June 2019, however, remnants of the malware have been seen since April 2019. June 2019 was the first time a fully built of the ransomware found. DoppelPaymer is an evolution of BitPaymer, that looks very similar, but is a bit more complex.


Code reuse between Dridex, BitPaymer, and DoppelPaymer Credit: Sentinelone

Code reuse between Dridex, BitPaymer, and DoppelPaymer Credit: Sentinelone


Since its distribution, only a few confirmed victims of DoppelPaymer have been identified. A client of LIFARS is one confirmed case of DoppelPaymer. This client was attacked in mid-October with the Dridex infection and by the end of October was hit with DoppelPaymer. The latest known victim of DoppelPaymer is a Mexican oil company, Pemex. Attackers demanded 565 bitcoin or about $4.9 million USD from the oil company.

New Features

Numerous new features were added to DoppelPaymer’s source code to increase its level of functionality and threat. This new variant unlike BitPaymer does not use the aaa_TouchMeNot_.txt. Perhaps INDRIK SPIDER has gotten more clever and know that a killswitch can be used to get past the malware’s infection. Further, file encryption occurs much faster because this process is now threaded. Instead of using the Net View command to get the list of network shares on the network, nslookup.exe is used to retrieve IP addresses of other hosts on the local network and domain resolution.

The malware authors also included new techniques to try to stop certain processes from running. To try to stop reverse engineering efforts, DoppelPaymer contains lists of CRC32 checksums of blacklisted process/service names. Fortunately, experts have found ways to brute force the checksum. Another, technique the authors are using to stop processes and services is ProcessHacker, a legitimate monitoring tool.

Ransom Note

The DoppelPaymer ransom note resembles the note for BitPaymer quite closely. However, there are few differentiating factors. One the note doesn’t show the ransom amount and the company name. Instead of the amount, the note contains a URL to a TOR-based payment portal. When the URL is clicked, the company usually has 14 days to pay the ransom before the decryption key expires. Third, the note includes the word DATA, instead of the word KEY to represent the encrypted key.


DoppelPaymer Ransome Note

DoppelPaymer Ransome Note


DoppelPaymer Tor Payment

DoppelPaymer Tor Payment


INDRIK SPIDER is growing more complex as white hat security experts develop new methodologies to counteract attacks. From Dridex to BitPaymer to DopplePaymer, the group has extorted millions from organizations all over the world. Ransomware attacks only seem to be speeding up and growing.


Contact LIFARS Immediately

For Ransomware Response Forensics