Experts at ESET research have found that the BitPaymer ransomware that had hit Scottish hospitals last year was made by the same developers who introducedDridex in 2014.
The ransomware Dridex has caused extensive damage,particularly to financial institutions for several years. The Trojan that first appeared to be a simple bot was later found to be one of the most sophisticated banking ransomware. The authors introduced updates from time to time with the latest update being in 2017 that gained attention for the Atom Bomb injection technique that helped spread the Trojan to millions of victims.
BitPaymer: A Link to the Past
BitPaymer is a new ransomware that security experts allege has been introduced by the same authors who introduced the world to Dridex. The ransomware demanded $242,000 and forced hospitals to cancel appointments.
A report that was published by ESET this month states that there are strong links that both FriedEX (a name used by ESET for Bit Paymer) and Dridex had the same authors. According to the authors,FiredEx and Dridex were compiled using Visual Studio 2015. They use the same PDB path i.e. S:\Work\_bin suggesting a link between the two.
The report found that several of the FriedEX samples had the same complication date as the Dridex ransomware. In addition, the functions in the binaries had the same order that occurs when the same codebase is used for different projects.
Malware packer of both FriedEx and Dridex were found to be the same as well. Some of the constants that should be randomly generated are similar in both the ransomware. If this wasn’t proof enough, both the ransomware trojans were compiled using Visual Studio 2015.
Similar to the Dridex, BitPaymer resolves all the API calls made by the system on the fly by searching the hash values, storing strings in encrypted form, and using hash values to look up for registry keys and values. The binary value is low profile in terms of feature and it’s hard to know what the ransomware is doing without digging deeper.
With all the evidence, the researchers at ESET were confident that both the ransomware were made by the same authors. They stated that the discovery provides a clearer picture of the activity of the group. The group is still active and continue to update the Trojan.
Ransoming Corporate Customers with Efficiency
BitPaymer and the Dridex mainly target large corporate companies, and is generally delivered through a brute force attack known as Remote Desktop Protocol (RDB). These two ransomwareTrojans have infected a large number of hospitals and financial companies. The losses relatingfrom the two Trojansamount to millions of dollars.
Since the group that created Dridex is still active, the ransomware continues to evolve. They have introduced support for webinjects for Google Chrome version 63. The previous AtomBombing code injection technique shows the danger posed by the group. This also highlights the importance of protecting the PC by installing ransomware removal software and updating the operating system on a regular basis to avoid being a victim of cybercrime.