BitPaymer Malware Information

Summary

BitPaymer Malware was used to target medical institutions via remote desktop protocol and other email-related techniques, momentarily shutting down routine services for a high ransom. Security researchers later published evidence that not only was DRIDEX dropping BitPaymer, but that it also came from the same cybercriminal group.

Trend Micro has a detailed article describing the execution chain of these malware.

Infection Flow

Malware routine can be found on the following virus report:

Indicators of Compromise

Hash	Detection Name
f8ed1a7ec231cd0aaeee9498541e822133d406d8	Ransom.Win32.BITPAYMER.TGACAM
47ff3a11ca6f1c088799afaaafadcd46b89f44ac	TROJ_GEN.R011C0WGA19
94b37a49c91f8bae7817be8892520c8e50ce62d5	Ransom.Win32.BITPAYMER.TGACAM
fea875bee31434f43bba4384cade7bba83af6404	TROJ_GEN.R007C0PAG20
66bb444ea7e54b7f6b6a1305bed3556191ceeaf2	TROJ_GEN.R03FC0DFH19
babcc902eb4fda6824a9f63fea9267e21eb256ae	TROJ_GEN.R011C0PFO19
3752eaae8633c361a26aa763e2688ecf62c1a61f	TROJ_GEN.R011C0PFI19
bc2b35e453a31cda3b430ff25391c66899981d2a	TROJ_GEN.R011C0RFF19
adf3580cc8115d206ed15a881bb8144dec068b18	Ransom.Win32.ICRYPT.AG
8abc0909a346553236e05f2fa8c12da7925440d0	TROJ_GEN.R011C0RFE19
84b1513647a3c15614741724e4cbec32e7b4af69	TROJ_GEN.R011C0WF719
195157993bffdd51e4bd2fe2ac5fcc0971033db7	TROJ_GEN.R011C0WF219
233aa2f1d460d9588607933b8cab1844efeff5db	Backdoor.Win32.DRIDEX.THEBCAI

Details

SOLUTION MODULES	PATTERN BRANCH	RELEASE DATE	DETECTION/POLICY/RULES
PREDICTIVE LEARNING (TRENDX)	In-the-Cloud	In-the-Cloud	TROJ.Win32.TRX.XXPE50FFF032
FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE)	15.433.00	15/10/2019	Ransom.Win32.BITPAYMER.TGACAM TROJ_GEN.R011C0WGA19 TROJ_GEN.R007C0PAG20 TROJ_GEN.R03FC0DFH19 TROJ_GEN.R011C0PFO19 TROJ_GEN.R011C0PFI19 TROJ_GEN.R011C0RFF19 Ransom.Win32.ICRYPT.AG TROJ_GEN.R011C0RFE19 TROJ_GEN.R011C0WF719 TROJ_GEN.R011C0WF219 Backdoor.Win32.DRIDEX.THEBCAI
BEHAVIORAL MONITORING (AEGIS)			RAN4052T, MALWARE BEHAVIOR BLOCKING
SANDBOX SOLUTION			VAN_RANSOMWARE.UMXX
DEEP SECURITY			1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
			1007598 - Identified Suspicious Rename Activity Over Network Share

Actions to Take:

Make sure that your product software is patched and up to date. Please refer to these KB articles:

Trend Micro Endpoint Product using best practice should be able to detect and clean this malware. Refer to the KB article, Best practices in configuring OfficeScan (OSCE) for malware protection, for more information.

For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine.

Rating:

Category:

Remove a Malware / Virus

Solution Id:

000261855

Feedback

Did this article help you?

Thank you for your feedback!

What was the problem with this article?

The image(s) in the article did not display properly.

The article did not provide detailed procedure.

The article is hard to understand and follow.

The video did not play properly.

The article did not resolve my issue.

Others. Please specify.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

Thanks for voting.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

Need More Help?

BitPaymer Malware Information