Early Monday morning on the 4th of November, two Spanish companies, Everis (an IT consulting firm) and Cadena SER (Spain’s largest radio network) were simultaneously hit with ransomware. While the Cadena ransomware type is unknown, Everis has confirmed that it was hit with BitPaymer ransomware. BitPaymer is typically distributed through malicious emails containing Dridex, which threat actors will use to gain a foothold in a network and maintain persistence. Once a foothold is gained, a full reconnaissance is performed, and Active Directory credentials are grabbed. From there, BitPaymer is deployed by the threat actors.
Analyst Notes
While a decrypter does not exist for BitPaymer, there are a few things that can be done for protection. First, BitPaymer uses the Eventvwr.exe UAC bypass in order to escalate privileges. If the bypass fails for whatever reason, BitPaymer will actually stop encrypting and close itself. Luckily, this bypass was fixed with the Windows 10 Preview Build #15007, meaning that BitPaymer cannot escalate privileges on an up-to-date Windows 10 machine. If it is not possible to update Windows 10 to the latest version, Binary Defense recommends practicing safe email habits and only opening attachments and executing macros from addresses that are trustworthy.
Sources: http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
https://www.zdnet.com/article/ransomware-hits-spanish-companies-sparking-wannacry-panic/
