A new variant of BitPaymer ransomware has been found infecting a US manufacturing company. Tracked as Ransom.Win32.BITPAYMER.TGACAJ, the ransomware is distributed via PsExec, a command-line tool that allows the execution of processes on remote computers.
What happened - In a detailed investigation report, researchers at Trend Micro found that the new variant of BitPaymer was executed in the manufacturing company’s system using PsExec. The attack occurred on February 18, 2019, between 9:40 PM and 11:03 PM.
To initiate the attack, the attackers had compromised an account with administrator privileges. This enabled the attackers to run the malicious commands that could copy and execute the Bitpaymer variant.
“The attacker needed at least one account with administrator privileges to run commands via PsExec. This means that a security breach, which may have happened due to unforeseen circumstances, had already transpired before the ransomware was installed,” researchers noted.
What’s new about the variant - Researchers noted that Ransom.Win32.BITPAYMER.TGACAJ uses the name of the victim company in the ransom note and as an extension name for the encrypted files.
The new variant shares many similarities with previously spotted BitPaymer variants.
“It uses the same code for its function to get the Windows API and uses the same entry point for the unpacked code,” said the researchers.
What security measures were taken - The infection process was minimized on endpoints using a behavioral monitoring solution. It was able to block unwanted file encryption or modification using a detection component feature.