[BreachExchange] Major German manufacturer still down a week after getting hit by ransomware

Destry Winant destry at riskbasedsecurity.com
Fri Oct 25 10:06:30 EDT 2019


https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/

Pilz, one of the world's largest producers of automation tools, has
been down for more than a week after suffering a ransomware infection.

"Since Sunday, October 13, 2019, all servers and PC workstations,
including the company's communication, have been affected worldwide,"
the Germany-based company wrote on its website.

"As a precaution, the company has removed all computer systems from
the network and blocked access to the corporate network."

All the company's locations across 76 countries were impacted and were
disconnected from the main network, unable to file orders and check
customer statuses.

It took Pilz staff three days to regain access to its email service,
and another three days to restore email service for its international
locations. Access to the product orders and delivery system was
restored only today.

Production capabilities weren't impacted, but unable to check orders,
they've been hampered and going at slower rates.

BLAME BITPAYMER

The German company -- known for its automation relays, controllers,
and sensors -- is the latest in a long line of BitPaymer victims,
Maarten van Dantzig, Lead Intelligence Analyst at FoxIT, told ZDNet
today.

Van Dantzig was able to tie the Pilz infection to BitPaymer after he
found and analyzed a BitPaymer sample uploaded on VirusTotal. The
sample contained a ransom note with Pilz-related contact details,
customized for the company's network.

BitPaymer is a ransomware strain that appeared in the summer of 2017
and has been tied to several high-profile incidents at Scottish
hospitals, the PGA, two Alaskan towns (Matanuska-Susitna and Valdez),
Arizona Beverages, in attacks leveraging an iTunes zero-day, and, most
recently, at French TV station M6.

But BitPaymer is not your regular ransomware strain. BitPaymer's
authors engage in what's called "big game hunting," a term coined by
Crowdstrike and which describes the act of going only after high-value
targets -- in the hopes of extracting a large ransom payment, instead
of extorting home consumers for meager profits.

BITPAYMER'S DRIDEX PARTNERSHIP

During the past two years, BitPaymer has been distributed exclusively
via the Dridex botnet, van Dantzig told ZDNet.

An ESET report from January 2018 claimed the ransomware was the work
of the Dridex authors themselves.

Currently, most experts believe the Dridex gang spends their time
sending email spam that infects users with the Dridex trojan, compiles
a list of victims, and then deploys BitPaymer on the networks of large
companies, in the hopes of extracting huge ransoms after encrypting
their files.

Historically, this tactic has been pretty lucrative, and BitPaymer has
been tied to ransomware demands going as high as $1 million, Van
Dantzig told ZDNet today in a phone call.

This cybercrime model of botnet-ransomware partnership is extremely
popular these days. A similar "working relationship" also exists
between the operators of the Emotet and TrickBot botnets and the Ryuk
ransomware gang.

A SURGE IN ACTIVITY SINCE APRIL THIS YEAR

You can easily see BitPaymer's modus operandi in the chart below,
consisting of submissions to ID-Ransomware, an online service
sponsored by the MalwareHunterTeam and Emsisoft where ransomware
victims can upload samples and detect the type of ransomware they've
been infected.

Most ID-Ransomware activity charts are smooth, as there are daily
submissions from victims who get infected after opening emails or
installing ransomware-infected files.

However, for BitPaymer, this is different. The spikes show occasional
infections as the ransomware is deployed on a handful of carefully
selected targets, rather than spammed out in every direction. This
pattern is specific to "big-game hunting" ransomware operations.

Van Dantzig says companies must understand that once they recover from
a BitPaymer infection, their job is not done. System administrators
must also remove the Dridex trojan from infected hosts, otherwise
they'll be reinfected again.

In fact, van Dantzig has seen this happen in the past.


More information about the BreachExchange mailing list