By Gilbert Sison and Ryan Maglaque
Ransomware may have experienced a decline in 2018, but it seems to be getting back on track — only this time, attacks are looking to be more targeted. Coming on the heels of news about a ransomware attack against a U.S. beverage company which addressed the company by name in the ransom note, this blog post looks into a BitPaymer ransomware variant (detected by Trend Micro as Ransom.Win32.BITPAYMER.TGACAJ) that hit a U.S. manufacturing company. As with the beverage company, this company, too, appears to have been targeted as its affected systems showed a ransom note with its name explicitly addressed.
Our investigation leads us to believe that an account with administrator privileges may have been compromised to install BitPaymer via PsExec, a command-line tool that allows the execution of processes on remote computers.
How BitPaymer Gained a Foothold Into the System
BitPaymer, which is related to the iEncrypt ransomware, was executed in the manufacturing company’s system using PsExec. Our analysis revealed that on February 18, 2019 PST, between 9:40 p.m. and 11:03 p.m., commands were sent via PsExec to copy and execute the BitPaymer variant.
The attacker needed at least one account with administrator privileges to run commands via PsExec. This means that a security breach, which may have happened due to unforeseen circumstances, had already transpired before the ransomware was installed.
Figure 1. Timeline of events that led to the execution of the BitPaymer ransomware variant
Data from the Trend Micro™ Smart Protection Network™ infrastructure supports this hypothesis. From January 29 to February 18, multiple attempts to run an Empire PowerShell backdoor on a number of machines were detected. Indicators show that this was done remotely and without dropping a file on the target machines. Binaries associated with Dridex, which we found shared loaders with BitPaymer, were also detected within the same time period. Note that in the case of the U.S. beverage company, some researchers believe that an initial Dridex infection may be linked to the eventual ransomware infection.
Looking at all available information, we can then infer that a security breach had already taken place in the company before or on January 29.
This BitPaymer Variant Is Not New
As mentioned, Ransom.Win32.BITPAYMER.TGACAJ specifically addressed the name of the victim company in the ransom note and also used it as extension name for the encrypted files. These features show that the company was likely targeted. A similar variant of Ransom.Win32.BITPAYMER.TGACAJ was seen late 2018 when it targeted a number of companies, including a Germany-based manufacturing company. That variant also used the name of the victim company in the ransom note and as an extension name for the encrypted files.
Figure 2. In the ransom note, the victim is instructed to contact the threat actor/s to know how much needs to be paid in exchange for decryption. Notably, the key used in the encryption is stored in the message itself, and not within the file. This means losing the ransom note could kill the chance of file decryption.
Apart from the changes made to the ransom note and the file extension reflecting the victim companies’ names, there are no other differences between Ransom.Win32.BITPAYMER.TGACAJ and the variant reported in the latter part of 2018.
Code Comparison to Previous BitPaymer Variants
Our analysis shows that this BitPaymer ransomware variant is not new but is only a modified one in terms of ransom note and the extension name it uses. In our analysis, we saw that the code structure of this variant has many similarities with previously spotted Bitpaymer variants. It uses the same code for its function to get the Windows API and uses the same entry point for the unpacked code. The screenshots below show how each variant parses the API:
Figure 3. This variant was spotted in January 2018.
It appended encrypted files with .locked.
Figure 4. This variant was spotted in September 2018.
It appended encrypted files with .locked.
Figure 5. This variant was spotted in February 2019.
It used the name of the victim company as an extension name for the encrypted files.
Meanwhile, these two screenshots show the entry points of the unpacked code:
Figure 6. The one on the left is the September 2018 variant while the one on the right is the February 2019 variant.
The Aftermath of the BitPaymer Execution
The effects of the ransomware infection were minimized on endpoints where a behavioral monitoring solution, along with other anti-ransomware technologies, was enabled. Behavioral monitoring helps in detecting new variants by checking known malicious behaviors. For this particular scenario, it was able to block unwanted file encryption or modification using a detection component feature. Behavioral monitoring also prevented the execution of the Empire backdoor.
However, it’s possible that the security hole that inadvertently allowed the ransomware to execute remains undetected. Undetected objects or components may still be running in the IT environment as well. In cases like this, countermeasures, including updating all accounts and following best practices for preventing the abuse of sysadmin tools such as PsExec, should be taken to avoid future compromise from the same causes.
The Role of Managed Detection and Response in These Scenarios
The ransomware attack we discussed here, as well as the ones that hit the beverage company and the Germany-based manufacturing company, suggests that attackers may be increasingly leaning towards a more targeted approach, which requires sophisticated tactics in order to be successfully deployed. Having an effective oversight of the IT environment is key to stopping attackers on their tracks.
Since the first symptom of intrusion was detected on January 29, there are steps that could have been taken to prevent the spread of the ransomware on February 18. An intrusion detection system would have provided visibility to malicious activities present in the network, giving the organization a chance to take measures faster. In the case of the U.S. manufacturing company, compromised accounts could have been updated and compromised machines could have been cleaned to stop the spread of the ransomware.
The ransomware infection could have also been prevented with the adoption of managed detection and response (MDR) security services. MDR provides on-demand access to full-time threat analysts, investigators, and incident response experts that can spot threats before they damage organizations’ IT systems.
Trend Micro’s MDR service provides access to cybersecurity experts who can efficiently analyze logs to identify compromised machines, for example, the ones used to install the BitPaymer ransomware variant. Our MDR experts also have the capability to specifically identify the compromised accounts in ransomware incidents such as this, and, in turn, provide pattern updates which organizations will implement on their end to prevent further abuse.
In addition, our MDR experts are familiar with advanced security solutions that can provide meaning to security incidents. For example, the Trend Micro™ Deep Security™ solution, which can be used to thwart an attacker’s internal access by identifying a compromised system and shutting it down. Organizations can also take advantage of Deep Discovery Inspector, a solution that can capture full network activity to make it easier for investigators to discover clues during and after the attack. If an early sign of compromise is detected, the organization will be given an opportunity to take steps to prevent the threat from spreading. Meanwhile, Trend Micro Apex One™ offers advanced automated threat detection and response against varying kinds of threats, including fileless and ransomware. Apex One’s cross-generational blend of modern techniques provides highly tuned endpoint protection that maximizes performance and effectiveness.