Billtrust, a U.S. based financial services provider, experienced a service outage that affected all of its services on October 17th. Billtrust did not make the issue public, but a service bulletin was published to one of their customers that stated, “We were notified late yesterday that BillTrust, our third-party vendor for customer invoicing and online bill payment, was the subject of a malware attack. BillTrust is working with federal law enforcement and cybersecurity firms to investigate and remediate the attack.” Billtrust also told their customers that none of their customers’ data was compromised and that they are working to restore services. In an update dated October 18th, Billtrust listed the operational services and the ones that still have issues:
- Billtrust Credit (former Credit2B) – up and operational.
• Billtrust eCommerce (Second Phase) – up and operational.
• Billtrust Virtual Card Capture – scheduled to be up and running on Saturday, October 19 with a plan to work through the weekend to begin catching up on the backlog.
• Billtrust Cash Application – over the next 12-24 hours, we intend to bring Cash Application customers live starting with the processing of lockbox and open balance files.
• Billtrust Billing & Payments – Billing and Payment websites will be turned on this evening followed by FTP connectivity. We expect card payment processing to resume this evening and ACH processing to resume on Monday, October 21 but will update you if anything changes.
• Billtrust VueBill – please contact your account representative for specific details.
Billtrust had notified its customers that forensic software had been deployed on most of their systems as part of the ongoing investigation of this incident. The company assured its customers that their data is routinely backed up in preparation for events like this. Currently, it is unknown how their systems were compromised but the investigation is still ongoing.
Analyst Notes
This incident is a great example as to why organizations and individuals alike should have secure and up-to-date backups of all their systems. Backing up data is the primary means of restoring service when a system is compromised with ransomware. Organizations are also recommended to have incident response plans in the eventuality that systems are compromised. The plans should be tested and practiced so that recovery can be as quick as possible. Another recommendation is to have an endpoint detection system, such as the Binary Defense Vision system, which is an important part of defense-in-depth against ransomware. Endpoint monitoring solutions are in the perfect position to detect ransomware or attacker behaviors early in an intrusion and isolate the infected computer from the rest of the network to prevent the spread of damage. Lastly, organizations should contact law enforcement quickly after a breach is discovered. The value is preserving evidence, especially by preserving a copy of the Command and Control (C2) servers used by the attackers, which can ultimately lead to the capture and prosecution of the criminals responsible.
