What Is It?
While some cybersecurity pundits claim the demise of ransomware, their prognostications were at best a premature conclusion. In recent weeks, variants of BitPaymer ransomware have infected systems at the Professional Golfers Association of America (PGA) and the local government offices of Matanuska-Susitna, a municipal borough of greater Anchorage.
BitPaymer, first identified in July 2017, was responsible for ransomware attacks on a number of Scottish hospitals in August 2017. BitPaymer is also known for making large ransom demands, up to 53 bitcoin (currently in excess of US$332,000). In most cases, the initial attack vector of BitPaymer ransomware is compromising internet-facing Remote Desktop Protocol (RDP) servers. The passwords to these RDP servers are brute forced.
In the case of Matanuska-Susitna, based on a report from the IT Director, the BitPaymer ransomware was part of an attack consisting of several malware payloads, including the Emotet trojan. His investigation believes the ransomware payload was activated 4 to 6 weeks after their network was initially compromised. He incorrectly characterizes this attack as a zero-day, based on the fact their legacy anti-virus product did not detect any malware components of the attack until it was too late.
The attack affected all 500 of their user endpoint systems and 120 of their 150 servers, requiring the IT department to essentially shutdown their entire network, resulting in staff being forced to use typewriters. Other systems impacted included email, telephone, swipe card and even their backup and disaster recovery servers. They are currently planning on reimaging 650 systems at a rate of about 38 per day.
According to reports, staff at the PGA of America began receiving pop-up ransom messages on their workstation screens on August 7, 2018. Though not yet confirmed by the PGA but based on the wording, it is believed BitPaymer ransomware is responsible. Another aspect consistent with BitPaymer ransomware is the offer to email two encrypted files to the attackers, who would decrypt them as proof of their “honest intentions.” It is reported that encrypted files include digital marketing assets related to the PGA Championship tournament and the Ryder Cup.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The most common attack vector for BitPaymer ransomware is compromising internet-facing RDP servers by brute forcing poor or common passwords where there are no security policies in place to enforce password lockouts.
When/How Did BluVector Detect It?
Specific samples have not yet been publicly attributed to either incident. Therefore, a random selection of 25 recent BitPaymer samples were tested and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown that samples would have been detected an average of 50 months prior to their release.