The BitPaymer ransomware operators now are creating new variants of the malware hours before deploying it on a target network - making detection much more difficult.
Researchers from Morphisec say they have observed the tactic being used against numerous public and private sector organizations across the US over the last three months.
In a report Thursday, the security vendor said it is aware of at least 15 organizations including those in the finance, agriculture, and technology sectors that have been targeted in this way. Most had between 200 and 1,000 employees, while two of the victims employed more than 2,000 people. Numerous servers belonging to at least two of the targeted organizations were infected.
In each of the attacks, the threat group gained initial access to the target network via phishing emails that distributed Dridex, a well-known data and credential-stealing malware. Once on the network, the attacker stole Active Directory credentials and conducted reconnaissance for sensitive servers and systems to infect. They then waited for the weekend to actually deploy the ransomware.
"This carefully planned timing allows them to propagate the ransomware to 24/7 running servers and then spread as the first employees returning to work from the weekend login to the compromised network," Morphisec said.
Michael Gorelik, CTO at Morphisec, says what makes the latest BitPaymer campaign interesting is a new attack framework that enables the threat group to obfuscate and compile a custom loader for the malware literally hours before it is deployed.
The ransomware payload version itself that is being used in the attacks was complied about four months ago ..
Support the originator by clicking the read the rest link below.
