BitPaymer

Malware updated a month ago (2024-10-17T13:02:25.943Z)

Download STIX

Preview STIX

BitPaymer is a type of malware, specifically ransomware, that was operated by the cybercriminal group known as GOLD DRAKE. It is designed to infiltrate systems and encrypt data, holding it hostage until a ransom is paid. This malicious software became prominent in conjunction with the rise of Ransomware as a Service (RaaS) model during 2020. BitPaymer has been linked to first-stage malware attacks such as Dridex, which were used to establish initial access before launching the ransomware. The GOLD DRAKE threat group later reworked BitPaymer and renamed it as DoppelPaymer, under the operation of the GOLD HERON threat group. BitPaymer's development and distribution were overseen by Evil Corp, a financially motivated Russian cybercriminal group established in 2014. This group utilized BitPaymer in combination with its long-running Dridex banking Trojan to target banks and financial institutions in over 40 countries, leading to criminal profits of over $100 million. Aleksandr Ryzhenkov, a member of Evil Corp, was indicted in the United States for his involvement with BitPaymer ransomware, and he has been sanctioned in the U.S., United Kingdom, and Australia for affiliating with LockBit. BitPaymer operates by attempting to enumerate the sessions for each user logged onto the infected host and creating a new process using the token of each user. In doing so, it can encrypt network shares and disrupt operations. However, certain defenses can stop the BitPaymer process before it can encrypt any files. CrowdStrike Falcon® Prevent is one such defense mechanism that has shown effectiveness against BitPaymer, as evidenced by the SHA256 hashes for BitPaymer samples analyzed by Falcon Intelligence.

Description last updated: 2024-10-17T12:32:38.890Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Doppelpaymer is a possible alias for BitPaymer. DoppelPaymer is a type of malware, specifically ransomware, that was initially developed and operated by the GOLD DRAKE threat group under the name BitPaymer. The software was later reworked and renamed to DoppelPaymer by another threat group, GOLD HERON. This malicious software first appeared in mi	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Dridex Malware is associated with BitPaymer. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group ta	Unspecified	5

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Evil Corp Threat Actor is associated with BitPaymer. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybe	Unspecified	3

Source Document References

Information about the BitPaymer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	2 months ago	Cybercrime is Still Evil Incorporated, But Disruptions Help
InfoSecurity-magazine	2 months ago	Evil Corp's LockBit Ties Exposed in Latest Phase of Operation Cronos
BankInfoSecurity	2 months ago	LockBit and Evil Corp Targeted In Anti-Ransomware Crackdown
MITRE	2 years ago	Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
MITRE	2 years ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
MITRE	2 years ago	WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
MITRE	2 years ago	Clop Ransomware \| McAfee Blog
MITRE	2 years ago	Stopping Serial Killer: Catching the Next Strike - Check Point Research
Secureworks	2 years ago	Ransomware Evolution
GovCERT CH	2 years ago	Severe Ransomware Attacks Against Swiss SMEs
Securityaffairs	2 years ago	European police dismantled the DoppelPaymer ransomware gang
CERT-EU	2 years ago	DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU	2 years ago	DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU	2 years ago	L’hebdo cybersécurité \| 12 mars 2023 • Cybersécurité
CERT-EU	2 years ago	Analysis of Ransomware Attack Timelines \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
Securityaffairs	2 years ago	New Lobshot hVNC malware spreads via Google ads