BitPaymer

Malware updated 4 months ago (2024-05-04T19:37:14.503Z)

Download STIX

Preview STIX

BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model that gained traction in 2020, BitPaymer was often deployed in conjunction with other first-stage malware such as Dridex. This relationship between different types of malware established a more complex attack framework, leading to an increase in successful ransomware attacks. To execute its malicious activities, BitPaymer would attempt to enumerate the sessions for each user logged onto the infected host and create a new process using the token of each user. In some instances, there was observed inactivity between the time the domain controllers were compromised and the installation of BitPaymer. Once active, BitPaymer could be stopped before it encrypted any files if certain defenses were in place. Falcon Intelligence acquired multiple decryption tools related to BitPaymer, confirming the theory that a unique key was used for each infection. Falcon Intelligence has been involved in multiple incident response engagements related to BitPaymer. They have analyzed numerous BitPaymer samples, providing SHA256 hashes for these instances. Their analysis also revealed two different methods used to deploy BitPaymer once the domain controllers were compromised. Unlike other ransomware like Hades or WastedLocker, BitPaymer creates a note for each encrypted file, which could potentially provide additional information for cybersecurity experts working on decrypting the affected files.

Description last updated: 2024-05-04T18:01:00.852Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Doppelpaymer	3	DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE.

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Dridex	Unspecified	3	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o

Source Document References

Information about the BitPaymer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	2 years ago	Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
MITRE	2 years ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
MITRE	2 years ago	WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
MITRE	2 years ago	Clop Ransomware \| McAfee Blog
MITRE	2 years ago	Stopping Serial Killer: Catching the Next Strike - Check Point Research
Secureworks	2 years ago	Ransomware Evolution
GovCERT CH	2 years ago	Severe Ransomware Attacks Against Swiss SMEs
Securityaffairs	2 years ago	European police dismantled the DoppelPaymer ransomware gang
CERT-EU	2 years ago	DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU	2 years ago	DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU	a year ago	L’hebdo cybersécurité \| 12 mars 2023 • Cybersécurité
CERT-EU	a year ago	Analysis of Ransomware Attack Timelines \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
Securityaffairs	a year ago	New Lobshot hVNC malware spreads via Google ads