BitPaymer Ransomware Making Noise in World of Cybersecurity

Jordan Kadlec

BitPaymer Ransomware

Business-to-business payments provider, Billtrust, and German manufacturer, Pilz, were both hit by the ransomware strain dubbed BitPaymer last week. The ransomware has also been spotted exploiting a zero-day vulnerability in the Apple Software Update service.   

BitPaymer ransomware first appeared in the summer of 2017 and has since been tied to several high-profile incidents, including the PGA, Arizona Beverages, Scottish hospitals, and two Alaskan municipalities. The creators of BitPaymer engage in what’s known as “big game hunting” where they only go after high-value targets. Instead of using the “spray and pray” technique where hackers try to infect anyone and everyone, BitPaymer goes after the big targets in hopes of extracting a large ransom payment.

Billtrust Ransomware Attack

Billtrust, a cloud-based service that allows customers to view invoices, pay, or request bills via email or fax, was hit by a BitPaymer ransomware attack on October 17th. In an email sent to customers, Billtrust indicated it was working with law enforcement officials as well as an outside consulting firm to determine the extent of the breach.

More than ten days after the ransomware attack, BitPaymer has restored most of its systems; however, some remain offline. Billtrust President Steven Pinado said that the company is implementing additional security measures to protect against a future attack. It’s unclear whether BitPaymer paid a ransom in exchange for a decryption key, but the company does have cybersecurity insurance in place.

Pilz Infected with BitPaymer Ransomware

Pilz, one of the world’s largest producers of automation tools, was infected with BitPaymer ransomware on October 13th. The firm offers a range of products vital to automate industrial environments, such as configurable safety controllers, programmable safety systems, safety sensors, operator and visualization systems, system and application software, drive technology, and integrated standard and safety automation systems.

The company has locations across 76 countries, all of which were impacted by the ransomware attack and disconnected from the main network. The attack affected the delivery of shipments and company communications. It took Pilz six days to restore complete access to its email systems and eight days to access the product orders and delivery systems.

BitPaymer Exploits Zero-Day Vulnerability in Apple Software Update Service

Several companies were targeted by BitPaymer ransomware in attacks that used an Apple zero-day vulnerability impacting the Apple Software Update service. Apple Software Update is an updater service that is automatically installed on computers when users install iTunes or iCloud for Windows or when using Boot Camp Assistant to install Windows on a Mac. The service is designed to keep all Apple applications up-to-date on a Windows device, as well as to deliver software and security updates to Windows installations running on Mac computers.

BitPaymer’s operators were able to find an unquoted path vulnerability within the Apple Software Update which allowed them to launch their ransomware on any devices that used iTunes or iCloud. They did this by taking advantage of the fact that Apple’s developers did not surround the service binary’s execution path with quotes, making it possible for them to launch the BitPaymer ransomware dropped in the form of a binary named ‘Program’ without an extension.  The Apple Software Update binary is signed by Apple thus, using it to launch the ransomware enabled them to evade detection.

BitPaymer Activity Surges

While these three examples are only the largest of the attacks, the creators of BitPaymer have been extremely busy since April. The chart below shows BitPaymer’s activity throughout the last year. The chart is a submission to ID-Ransomware, an online service sponsored by the MalwareHunterTeam and Emsisoft where victims can upload samples and detect the type of ransomware they been infected with. Most ransomware charts are smooth, as they normally have daily submissions from victims who get infected. However, for BitPaymer, the spikes show occasional infections as the ransomware is deployed on a handful of carefully selected targets, as opposed to spamming it out.

CryptoStopper by WatchPoint 

CryptoStopper, developed by WatchPoint, can protect against BitPaymer ransomware. CryptoStopper uses deception technology to detect ransomware. During the installation process, decoy files are strategically placed. We call these Watcher Files. When ransomware begins the encryption process, CryptoStopper detects it in real-time and takes automated action to stop the attack in milliseconds and then alerts you to the event. 

Antivirus and firewalls no longer provide the protection you need to save your network from a ransomware attack. 

Using deception technology and CryptoStopper is the only way to stop an actively running attack that has evaded your traditional defenses. Click here to learn more about CryptoStopper and how WatchPoint can help with your cybersecurity needs! 

Photo courtesy of 

Share this:

Entrepreneur Link



Subscribe to Email Updates

Recent Posts

Posts by Topic

see all