BitPaymer targets 15 U.S. organizations in 3 months, researchers say

The findings by Morphisec are the latest example of how a methodical set of crooks are using an insidious ransomware.
decrypt decryption key unlock ransomware
(Getty Images)

An ongoing campaign using the BitPaymer ransomware has targeted at least 15 U.S. organizations in the last three months across the financial, agricultural, technology and government sectors, researchers said Thursday.

In an operation marked by meticulous planning, the hackers are phishing their targets with emails laced with the Dridex malware, another one of their staple tools, according to Israeli cybersecurity company Morphisec. After surveying the network, they deploy BitPaymer over a weekend, when employees are out. The ransomware spreads as people get back to work on Monday, Morphisec said.

Morphisec would not name any of the affected organizations, but CTO Michael Gorelik told CyberScoop that the company has dealt directly with two of them. He declined to offer more details, and he would not elaborate on the “supply chain solution provider” that his company said was also attacked. On average, the organizations targeted had between 200 and 1,000 employees, Gorelik said.

The findings are the latest example of how a methodical set of crooks are using an insidious piece of malware. BitPaymer was reportedly introduced in August 2017 by a group dubbed Indrik Spider, one of many criminal outfits emanating from Eastern Europe that are in the ransomware business. Since then, BitPaymer has hit a number of organizations, including a suburb of Anchorage, Alaska, last year, forcing local officials to use typewriters after government systems were disrupted.


In the latest reported activity involving BitPaymer, the attackers are setting up “loaders,” which execute payloads, that are customized to the target just hours before deploying the ransomware, Morphisec said.

“The actors behind BitPaymer are very methodical, they have been known to spend as long as a month inside a victim network before deploying BitPaymer,” said Allan Liska, a threat intelligence analyst at Recorded Future. “When they do install the ransomware they install on multiple systems simultaneously in order to inflict maximum damage.”

The operators of BitPaymer appear to be at crossroads. Last week, cybersecurity company CrowdStrike said it had found a new variant that had been used in attacks on the City of Edcouch, Texas, and Chile’s agriculture ministry in June. Some members of Indrik Spider may have taken some of BitPaymer and Dridex’s source code and spun off their own operation, according to CrowdStrike analysts.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts