April 18, 2019 By David Bisson 2 min read

Threat actors compromised an account with administrator privileges to infect a manufacturing company with BitPaymer ransomware.

A Trend Micro investigation found that digital attackers sent some commands via PsExec — a command-line tool for executing processes on remote computers — to copy and execute a variant of BitPaymer between 9:40 p.m. and 11:03 p.m. on Feb. 18, 2019. Only accounts with administrator privileges can run commands via PsExec. Acknowledging this fact, researchers reasoned that the manufacturing company suffered a security breach prior to the ransomware’s execution.

Between Jan. 29 and Feb. 18, Trend Micro helped detect several instances in which threat actors attempted to infect machines with an Empire PowerShell backdoor. These attack attempts occurred remotely and filelessly, though Trend Micro did detect binaries associated with Dridex, a banking Trojan that ESET linked to BitPaymer’s creators last year.

Not a New BitPaymer Variant

Ransom.Win32.BITPAYMER.TGACAJ, the BitPaymer variant involved in this attack, was unique in that it used the victim organization’s name in its ransom note and as an extension name for encrypted files. But it’s not the first time that security researchers have observed such behavior of the ransomware. Back in November 2018, a malware researcher revealed on Twitter how they had spotted a similar version of the threat targeting several companies.

This attack also comes at a time of sustained activity for BitPaymer. For instance, the ransomware infected several hospitals belonging to NHS Lanarkshire back in August 2017, as reported by Bleeping Computer. About a year later, officials from the Alaskan borough Matanuska-Susitna revealed in a statement how a variant of the crypto-malware had infected the town government’s networks.

How to Defend Against a Ransomware Infection

Security professionals can help defend against ransomware by using an endpoint detection and response (EDR) tool to monitor IT devices for suspicious activity. Teams should also use a patch management tool to keep their software up to date, thereby preventing attacks from using known vulnerabilities to infect their workstations with ransomware.

Furthermore, organizations should create or update their incident response plan and keep this framework effective by testing it consistently and making it inclusive of stakeholders.

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today