Skip to content

S0570 BitPaymer

BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.1

Item Value
ID S0570
Associated Names wp_encrypt, FriedEx
Type MALWARE
Version 1.0
Created 08 February 2021
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
wp_encrypt 1
FriedEx 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control BitPaymer can suppress UAC prompts by setting the HKCU\Software\Classes\ms-settings\shell\open\command registry key on Windows 10 or HKCU\Software\Classes\mscfile\shell\open\command on Windows 7 and launching the eventvwr.msc process, which launches BitPaymer with elevated privileges.1
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft BitPaymer can use the tokens of users to create processes on infected systems.1
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account BitPaymer can enumerate the sessions for each user logged onto the infected host.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BitPaymer has set the run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service BitPaymer has attempted to install itself as a service to maintain persistence.1
enterprise T1486 Data Encrypted for Impact BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending .locked to the filename.1
enterprise T1480 Execution Guardrails BitPaymer compares file names and paths to a list of excluded names and directory names during encryption.1
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification BitPaymer can use icacls /reset and takeown /F to reset a targeted executable’s permissions and then take ownership.1
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes BitPaymer has copied itself to the :bin alternate data stream of a newly created file.1
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool.1
enterprise T1490 Inhibit System Recovery BitPaymer attempts to remove the backup shadow files from the host using vssadmin.exe Delete Shadows /All /Quiet.1
enterprise T1112 Modify Registry BitPaymer can set values in the Registry to help in execution.1
enterprise T1106 Native API BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW.1
enterprise T1135 Network Share Discovery BitPaymer can search for network shares on the domain or workgroup using net view .1
enterprise T1027 Obfuscated Files or Information BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.1
enterprise T1012 Query Registry BitPaymer can use the RegEnumKeyW to iterate through Registry keys.1
enterprise T1018 Remote System Discovery BitPaymer can use net view to discover remote systems.1
enterprise T1007 System Service Discovery BitPaymer can enumerate existing Windows services on the host that are configured to run as LocalSystem.1

Groups That Use This Software

ID Name References
G0119 Indrik Spider 12

References