Attack on Everis delivered a BitPaymer variant, vector still unknown
Everis’s parent company NTT Data has maintained a deafening silence in the wake of a ransomware attack on Spain’s largest IT consultancy – which employs 24,500 staff across Europe, USA and Latin America.
With Everis hacked Monday in what appears to have been part of a broader campaign that also hit Cadena SER, Spain’s largest radio station operator, the company has yet to officially confirm the attack a day later.
See our early report here: Spanish Businesses Hit by Wave of Ransomware Attacks
Numerous pictures of the ransomware note, as well as internal communications confirming the incident have circulated widely on social media, with the payload also now having emerged and being analysed by security researchers.
UK-based security researcher Kevin Beaumont said the malware “runs arp, gets local network hosts, runs nslookup on them, then spreads laterally – still looking at how, looks to be SMB”.
The attack was a targeted one, he said, adding that there is “no evidence it’s [exploiting the vulnerability] BlueKeep”.
With a presence in 18 countries, including the Netherlands, the UK, the US and Switzerland, the attack will have been particularly painful for Everis, given its role as a managed services provider (MSP) and managed security services provider (MSSP).
With the company as yet declining to respond to repeated requests for comment, Computer Business Review was unable to confirm social media speculation that branches of the company in LatAm were also affected.
The precise type of ransomware seems to be disputed still as well, but most sources say it is a variant of the BitPaymer ransomware, possibly DopplePaymer, which is described in this report by Crowdstrike. (In July Crowdstrike had identified eight distinct malware builds and three confirmed DopplePaymer victims “with ransom amounts of 2 BTC, 40 BTC and 100 BTC. Based on the USD to BTC exchange rate at the time of this writing, these ransom amounts vary from approximately $25,000 to over $1,200,000.”
It's manually targeted at Everis. Think Norsk Hydro. I imagine they had a bad Word macro or RDP bruteforce. Gonna be a rebuild job to clean out attackers.
— Kevin Beaumont (@GossiTheDog) November 5, 2019
Everis Hacked: Not BlueKeep, Experts Say
The attack came the same day that the first malware exploiting the closely watched BlueKeep vulnerability emerged in the wild; making use of the wormable security flaw that affects unpatched versions of Windows 7, Windows XP, Windows Server 2008 R2, and Windows Server 2008 to deliver its payload.
The BlueKeep malware was dropping a cryptocurrency miner into unpatched machines, six months after Microsoft pushed out a rare out-of-band security fix and despite a steady drumbeat of warnings from both US and UK cybersecurity authorities that far too many machines remained vulnerable.
The attacks in Spain may have used Dridex, with an initial foothold in Everis’s systems gained via a phishing attack. Kaspersky Lab describes Dridex, which has been around in various forms for over six years, as “owned and developed by the same people since its creation. This is very rare for malware.”
A report yesterday by Cisco Talos meanwhile revealed a cache of tools deployed by cybercriminals in such ransomware attacks.
Talos’ examination of a server the company’s security researchers found (containing a “large stockpile of malicious tools”) revealed ransomware like the DopplePaymer, credit card capture malware like the TinyPOS, as well as some “loaders that execute code delivered directly from the command and control (C2) servers.”
The attackers had left a screenshot from the HPE Data Protector management interface among their files on the server (image above), which Talos used to identify some potential victims. The screenshot revealed which of the victims’ servers were being backed up, with another file showing which were important to the attackers.
“This, in conjunction with the ransomware located on the server, indicates the intent of deploying ransomware on the infrastructure, showing a manual and targeted approach more advanced than the simple execution of malware” Talos noted.
“An Evolution of Bitpaymer”
The majority of the Windows binaries available on the server discovered by Talos were DopplePaymer samples; an evolution of the Bitpaymer ransomware first documented by Crowdstrike and widely reported to have been used in the Spanish attacks.
“We identified seven different binaries. The oldest one was uploaded on Oct. 5, with the most recent originating from Oct. 20. As previously documented, the ransomware needs to be executed with a key in argument. We identified how the key was put in argument by this actor. A WinRAR self-extracting archive (SFX) is used to extract the ransomware and execute the following command:
“In our example, the key is ‘QWD5MRg95gUEfGVSvUGBY84h'”, Talos noted.
“The hard-coded path proves the attackers… had prior knowledge of the target’s infrastructure prepared the package in the target infrastructure.”
There is no evidence that this cache of tools and the Spanish attack are linked, but does emphasis both the increasingly targeted nature of such attacks, and the wide range of rapidly evolving tools deployed by such cybercriminals.
Jose Miguel Esparza, head of threat intelligence at Blueliv told Computer Business Review: “[SER and Everis] were attacked by a different ransomware family.
“According to the published ransomware note and the extension used by the malware (.3v3r1s), Everis was hit by targeted ransomware operated by the Dridex Group or a subgroup of it. The attack vector is still unknown. The usual way to spread BitPaymer is to use already existent Dridex infections to access to the compromised network, move laterally using PowerShell Empire and install the ransomware manually in critical systems.
He added: “Security researchers suggest that Cadena SER (Prisa Group) was targeted by Ryuk, which is operated by the Trickbot Group. The attack vector is unknown too.
“If it was indeed Ryuk, the usual way to spread Ryuk is using already existent Trickbot infections to access to the compromised network, move laterally and install the ransomware manually. It is common to see Emotet dropping Trickbot and afterwards Ryuk. Some sources say that Everis was asked for 750,000€ as a ransom to recover their systems from the incident, while Cadena SER was asked for a similar amount. Those amounts were not confirmed by Blueliv, but it is not uncommon for these groups to ask for those amounts when they perform these targeted ransomware attacks.”