BitPaymer Ransomware Operators Wage Custom, Targeted Attacks

The BitPaymer ransomware operators now are creating new variants of the malware hours before deploying it on a target network – making detection much more difficult.

Researchers from Morphisec say they have observed the tactic being used against numerous public and private sector organizations across the US over the last three months.

In a report Thursday, the security vendor said it is aware of at least 15 organizations including those in the finance, agriculture, and technology sectors that have been targeted in this way. Most had between 200 and 1,000 employees, while two of the victims employed more than 2,000 people. Numerous servers belonging to at least two of the targeted organizations were infected.

In each of the attacks, the threat group gained initial access to the target network via phishing emails that distributed Dridex, a well-known data and credential-stealing malware. Once on the network, the attacker stole Active Directory credentials and conducted reconnaissance for sensitive servers and systems to infect. They then waited for the weekend to actually deploy the ransomware.

Read more: Dark Reading