Hijacked Admin Accounts Bring About Personalized Ransomware Attacks
A ransomware attack which calls the targeted victim by its name has hit a manufacturing business, as reported by researchers at TrendMicro. Supposedly carried out in the late hours of Feb. 18, the actors in charge hijacked an administrative user account, planting a variant of the BitPaymer ransomware by utilizing the PsExec command-line tool. Moreover, they made sure to put the name of the affected organization in the ransom note itself, perfectly matching the iEncrypt ransomware attack against the Arizona Beverage company earlier this month. Similar to BitPaymer, iEncrypt also featured the name of the victim in the ransom note, which implies that the two threats may have a connection.
The Attack Succeeded Thanks to an Earlier Dridex Infection
According to TrendMicro's security team, the Feb. 18 infection proved successful after the hackers in charge had made a series of failed attempts to remotely deploy the Empire PowerShell post-exploitation agent on randomly targeted admin-level machines. However, that success was likely due to an earlier Dridex infection which had not only occurred beforehand but also gone unnoticed by the company.
In addition to the Arizona Beverage case and a few attacks against several businesses in late 2018, this is the most recent occasion of cybercriminals addressing their victim by name in the very text of the ransom note. What is more, the company's name also worked as a file extension appended to all encrypted data. What the note says, though, is evident from the text below:
Hello [Victim's name]
Your network was hacked and encrypted. No free decryption software is available on the web. Email us at [illegible characters]@protonmail.com (or) [illegible characters]@india.com to get the ransom amount. Keep our contacts safe. Disclosure can lead to impossibility of decryption. Please, use your company name as the email subject. TAIL: [random characters] KEY: [random characters]
The ransom note contains not only the name of the victim but also the encryption key. Since the latter is a prerequisite for successful decryption.
Save for Name and Extension, the Code Remains the Same
As mentioned above, this is not the first time security researchers have come across a BitPaymer ransomware infection. Nor does the new case feature a brand-new BitPaymer variant. A closer look into the code reveals no significant differences whatsoever in comparison to last year's attacks. The only variable appears to be the name of the affected organization in the ransom note. Unlike previous BitPaymer infections which appended the ‘.locked' extension to encrypted data, the most recent one from Feb. 18, 2019, used the victim's name instead.
The BitPaymer ransomware attack emphasizes the need for enhanced protection mechanisms when it comes to sysadmin tools as they are constantly subject to exploitation attempts. Moreover, running an active monitoring service together with an anti-malware solution would not hurt, either.