2017 – BitPaymer ransomware
The BitPaymer ransomware is associated with Evil Corp – a cybercrime group believed to be of Russian origin. This ransomware strain introduced another trend in human-operated attacks – Big Game Hunting.
Everything started in August 2017, when BitPaymer operators successfully attacked a few hospitals from the NHS Lanarkshire board, demanding the astronomical ransom payment of $230,000 or 53 BTC.
To obtain the initial access to the target network, the group leveraged their long-standing tool – the Dridex trojan. The trojan allowed them to load PowerShell Empire – a popular post-exploitation framework – so the threat actor could move laterally through the network, and obtain elevated credentials, including with the use of Mimikatz, just like the SamSam operators.
To deploy the ransomware enterprise-wide, the threat actors leveraged a Group Policy modification, which allowed them to push a script on each host to run a piece of ransomware.
As the means of communication, the threat actors offered both emails and online chats; both could be found in the ransom note:
Figure 1.3 – BitPaymer ransom note example
In June 2019, a new ransomware was born from BitPaymer, called DoppelPaymer. It is believed that this specific ransomware was operated by a spin-off group from Evil Corp (source: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/).
The mastermind behind the BitPaymer ransomware
On November 13, 2019, the FBI released an indictment charging Maksim Viktorovich Yakubets and Igor Olegovich Turashev with managing Dridex trojan operations:
Figure 1.4 – Excerpts from FBI Wanted posters
Maksim Viktorovich Yakubets is currently wanted for multiple counts of cybercriminal activity. According to various sources, it is stated that there is a $5 million reward for the apprehension of Maksim. Of course, Dridex was not the only trojan used in human-operated ransomware attacks. Another notable example is Trickbot, which is tightly connected to the Ryuk ransomware.
