BitPaymer/FriedEx Ransomware Shows Ties to Dridex Banking Trojan

What Is It?

Researchers at legacy anti-virus vendor ESET have published findings which show strong evidence that the authors of the Dridex banking trojan are also responsible for writing the code for the BitPaymer ransomware. Owing to the connections they found with Dridex, ESET refer to this malware as FriedEx.

The Dridex banking trojan has been seen in the wild since 2014 and since its initial release has been significantly updated and improved, becoming one of the most sophisticated and successful banking trojans.

The BitPaymer/FriedEx ransomware was first seen in July 2017 and received significant media coverage when it was responsible for infecting several National Health Service hospitals in Scotland during August 2017.  Much like the recently discussed SamSam ransomware, BitPaymer/FriedEx tends to target higher profile companies and entities, rather than home users and usually uses brute force Remote Desktop attacks to initially infect systems.

Researchers showed screenshots that appears to come from the Hex-Rays decompiler tool, showing almost identical code in key areas of Dridex and BitPaymer/FriedEx functions. There were also commonalities in the compiler information and compiler timestamps. Their findings make a strong case for the same authors being behind both families of malware. It appears the authors saw an opportunity to take their existing Dridex code base and modify it as necessary to create a ransomware revenue stream for themselves.

How Does It Propagate?

Similar to the SamSam ransomware, BitPaymer/FriedEx spreads by attackers manually brute forcing Remote Desktop Protocol (RDP) servers, which then gives them access to devices within the networks. Again, best practice dictates that RDP servers should not be accessible from the internet.

When/How Did BluVector Detect It?

BluVector’s patented machine learning malware detection engine detects the BitPaymer/FriedEx ransomware as malicious. Regression testing on samples has shown the ransomware would have been detected by BluVector 29 months prior to its release.

All Threat Reports