BitPaymer

Malware updated 7 months ago (2024-11-29T14:43:18.431Z)
Download STIX
Preview STIX
BitPaymer is a type of malware, specifically ransomware, that was operated by the cybercriminal group known as GOLD DRAKE. It is designed to infiltrate systems and encrypt data, holding it hostage until a ransom is paid. This malicious software became prominent in conjunction with the rise of Ransomware as a Service (RaaS) model during 2020. BitPaymer has been linked to first-stage malware attacks such as Dridex, which were used to establish initial access before launching the ransomware. The GOLD DRAKE threat group later reworked BitPaymer and renamed it as DoppelPaymer, under the operation of the GOLD HERON threat group. BitPaymer's development and distribution were overseen by Evil Corp, a financially motivated Russian cybercriminal group established in 2014. This group utilized BitPaymer in combination with its long-running Dridex banking Trojan to target banks and financial institutions in over 40 countries, leading to criminal profits of over $100 million. Aleksandr Ryzhenkov, a member of Evil Corp, was indicted in the United States for his involvement with BitPaymer ransomware, and he has been sanctioned in the U.S., United Kingdom, and Australia for affiliating with LockBit. BitPaymer operates by attempting to enumerate the sessions for each user logged onto the infected host and creating a new process using the token of each user. In doing so, it can encrypt network shares and disrupt operations. However, certain defenses can stop the BitPaymer process before it can encrypt any files. CrowdStrike Falcon® Prevent is one such defense mechanism that has shown effectiveness against BitPaymer, as evidenced by the SHA256 hashes for BitPaymer samples analyzed by Falcon Intelligence.
Description last updated: 2024-10-17T12:32:38.890Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Doppelpaymer is a possible alias for BitPaymer. DoppelPaymer is a type of malware, specifically ransomware, that was initially developed and operated by the GOLD DRAKE threat group under the name BitPaymer. The software was later reworked and renamed to DoppelPaymer by another threat group, GOLD HERON. This malicious software first appeared in mi
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Trojan
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Dridex Malware is associated with BitPaymer. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group taUnspecified
5
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Evil Corp Threat Actor is associated with BitPaymer. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybeUnspecified
3
The Indrik Spider Threat Actor is associated with BitPaymer. Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw IndUnspecified
2
Source Document References
Information about the BitPaymer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
SANS ISC
a month ago
Securityaffairs
a month ago
BankInfoSecurity
9 months ago
InfoSecurity-magazine
9 months ago
BankInfoSecurity
9 months ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
Secureworks
2 years ago
GovCERT CH
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago