Threat actors are constantly working towards finding new and complex ways to deploy cyber-attacks. The affiliates behind Dridex initially used it as a means to steal banking and personal credentials. However, in order to adapt in the changing cyber crime landscape, the threat actors evolved and developed BitPaymer Ransomware, which uses Dridex for the new purpose of moving laterally and proliferating within a network. Just this past summer, malware analysts found a new evolution of BitPaymer ransomware, called DoppelPaymer.
This version of the ransomware campaign, although it looks very similar, is far more complex than BitPaymer. The LIFARS Incident Response Team summarizes the common initial stages of these ransomware infections, below.
“LIFARS.com announced the release of Cyber Vaccine, a new weapon against one of the most prolific organized crime phenomena of the 21st” (NBC2 News)
TTP – Tactics, Techniques, and Procedures.
The attackers need the connection only for a short time, even as little as one week after the phishing email is delivered. Once this initial download is successful, the attackers use PowerShell Empire and accessible SMB shares or RDP, etc. for lateral movement and spreading across the network (usually undetected by antiviruses and unmonitored network tools). They do this until the objective number and types of machines are infected with Dridex. At this point, it will lay in waiting until the switch flips, the systems become encrypted, and the dreaded ransom note appears.