Within the first month of operation, the ransom amount was dropped from the ransom note. An example of this portal is shown in Figure 1. The payment portal included the title “Bit paymer” along with a reference ID, a Bitcoin (BTC) wallet, and a contact email address. In its first iteration, the BitPaymer ransom note included the ransom demand and a URL for a TOR-based payment portal. BitPaymer OriginsĬrowdStrike Intelligence, has tracked the original BitPaymer since it was first identified in August 2017. In August 2017, the group introduced BitPaymer ransomware and began to focus on leveraging access within a victim organization to demand a high ransom payment.
Perhaps as a result of these obstacles, INDRIK SPIDER changed their methods of operation in 2017, conducting smaller Dridex distribution campaigns. bank employee who helped set up fake accounts. The dismantling of this network also coincided with the arrest, and subsequent imprisonment, of a U.K. designed to break up the money laundering network supporting INDRIK SPIDER’s monetization of Dridex campaigns. ” This setback was followed by a law enforcement operation in the U.K. First, in 2015 the group had to overcome a takedown operation, which resulted in the arrest of one of its affiliates, who used the alias “ Smilex. Over time, INDRIK SPIDER encountered a number of obstacles to their wire fraud operations. At this time, INDRIK SPIDER was primarily conducting wire fraud, resulting in the loss of millions of dollars globally. In fact, Dridex operations were significant throughout 20, making it one of the most prevalent eCrime malware families.
Malware years used runonly to detection professional#
Early versions of Dridex were primitive, but over the years the malware became increasingly professional and sophisticated. INDRIK SPIDER was formed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred to themselves as “The Business Club.” Shortly after the group’s inception, INDRIK SPIDER developed their own custom malware known as Dridex.
Malware years used runonly to detection code#
However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.
We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture. CrowdStrike ® Intelligence has identified a new ransomware variant identifying itself as BitPaymer.