Threat actors are using accounts with admin privileges to install BitPaymer ransomware via PsExec suggesting threat actors are taking a more targeted approach to their distribution of malware.
Similar to the Arizona Beverage ransomware attack earlier this month, a manufacturing company also appears to have been targeted in an attack in which the company’s name was explicitly mentioned in the ransom note.
This lead Trend Micro Researchers to believe an account with administrative privileges may have been compromised to install BitPaymer via PsExec.
“BitPaymer, which is related to the iEncrypt ransomware, was executed in the manufacturing company’s system using PsExec,” researchers said in an April 15 blog post. “Our analysis revealed that on February 18, 2019 PST, between 9:40 p.m. and 11:03 p.m., commands were sent via PsExec to copy and execute the BitPaymer variant.”
Between January 29 to February 18 threat actors attempted multiple attempts to run an Empire PowerShell backdoor on several of the machines that were detected by researchers.
It's possible that one of these attacks resulted in a security breach that took place before the ransomware was installed since researchers said that the attacker needed at least one account with administrative privileges in order to run the commands.
Researchers said these infections could have been prevented if the victims has used a managed detection and response security services that would allow experts to spot threats before they damage organizations’ IT systems.