Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

BitPaymer Malware Information

    • Updated:
    • 13 Aug 2020
    • Product/Version:
    • Apex One 2019
    • Apex One as a Service
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 9.0
    • Worry-Free Business Security Standard 9.5
    • Platform:
Summary

BitPaymer Malware was used to target medical institutions via remote desktop protocol and other email-related techniques, momentarily shutting down routine services for a high ransom. Security researchers later published evidence that not only was DRIDEX dropping BitPaymer, but that it also came from the same cybercriminal group.

Trend Micro has a detailed article describing the execution chain of these malware.

Infection Flow

Malware routine can be found on the following virus report:

Indicators of Compromise

HashDetection Name
f8ed1a7ec231cd0aaeee9498541e822133d406d8Ransom.Win32.BITPAYMER.TGACAM
47ff3a11ca6f1c088799afaaafadcd46b89f44acTROJ_GEN.R011C0WGA19
94b37a49c91f8bae7817be8892520c8e50ce62d5Ransom.Win32.BITPAYMER.TGACAM
fea875bee31434f43bba4384cade7bba83af6404TROJ_GEN.R007C0PAG20
66bb444ea7e54b7f6b6a1305bed3556191ceeaf2TROJ_GEN.R03FC0DFH19
babcc902eb4fda6824a9f63fea9267e21eb256aeTROJ_GEN.R011C0PFO19
3752eaae8633c361a26aa763e2688ecf62c1a61fTROJ_GEN.R011C0PFI19
bc2b35e453a31cda3b430ff25391c66899981d2aTROJ_GEN.R011C0RFF19
adf3580cc8115d206ed15a881bb8144dec068b18Ransom.Win32.ICRYPT.AG
8abc0909a346553236e05f2fa8c12da7925440d0TROJ_GEN.R011C0RFE19
84b1513647a3c15614741724e4cbec32e7b4af69TROJ_GEN.R011C0WF719
195157993bffdd51e4bd2fe2ac5fcc0971033db7TROJ_GEN.R011C0WF219
233aa2f1d460d9588607933b8cab1844efeff5dbBackdoor.Win32.DRIDEX.THEBCAI
Details
Public
SOLUTION MODULESPATTERN BRANCHRELEASE DATEDETECTION/POLICY/RULES
PREDICTIVE LEARNING (TRENDX)In-the-CloudIn-the-CloudTROJ.Win32.TRX.XXPE50FFF032
FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE)15.433.0015/10/2019Ransom.Win32.BITPAYMER.TGACAM
TROJ_GEN.R011C0WGA19
TROJ_GEN.R007C0PAG20
TROJ_GEN.R03FC0DFH19
TROJ_GEN.R011C0PFO19
TROJ_GEN.R011C0PFI19
TROJ_GEN.R011C0RFF19
Ransom.Win32.ICRYPT.AG
TROJ_GEN.R011C0RFE19
TROJ_GEN.R011C0WF719
TROJ_GEN.R011C0WF219
Backdoor.Win32.DRIDEX.THEBCAI
BEHAVIORAL MONITORING (AEGIS)  RAN4052T, MALWARE BEHAVIOR BLOCKING
SANDBOX SOLUTION  VAN_RANSOMWARE.UMXX
DEEP SECURITY  1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
   1007598 - Identified Suspicious Rename Activity Over Network Share

Actions to Take:

Make sure that your product software is patched and up to date. Please refer to these KB articles:

Trend Micro Endpoint Product using best practice should be able to detect and clean this malware. Refer to the KB article, Best practices in configuring OfficeScan (OSCE) for malware protection, for more information.

For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine.

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000261855
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.