A more targeted approach is being used by attackers when they are choosing the recipients of ransomware. This BitPaymer variant (Ransom.Win32.BITPAYMER.TGACAJ) has been seen a few times recently and it is unique because it mentions the targeted company by name in the ransom note, making it specific. That’s exactly what it did when it sent commands to the unnamed US manufacturing company’s system through PsExec on February 18th. Attackers were also attempting to run the PowerShell Empire Backdoor starting on January 29th leading up to the 18th of February when the BitPaymer Ransomware was installed. It is likely that a data breach occurred prior to or on the 29th of January because attackers needed administrator privileges to install BitPaymer through PsExec.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased