BitPaymer Ransomware hides behind windows Alternate Data Streams
Apr 10, 2018
Threat name: BitPaymer Ransomware
IOC Hash: Sha256: 8943356b0288b9463e96d6d0f4f24db068ea47617299071e6124028a8160db9c
Files encrypted changed to extension .locked
Files ending with Readme_txt are created containing the Ransom Notes
BitPaymer ransomware was first seen in mid 2017 and was known to infect hospitals and ask for a huge Ransom. Earlier versions of BitPaymer allegedly demanded a whopping amount of 20 to 50 bitcoins, which would approximately amount to a hundred thousand dollars. This means that the ransomware was targeting organizations rather than individuals . Recently, we came across a variant of this ransomware .
Fig: BitPaymer ransom note
BitPaymer uses a unique hiding mechanism that exploits alternate data streams (ADS), a feature of a NTFS file system that allows it to hide itself from plain sight.
Earlier versions of BitPaymer hid their own files by adding themselves to blank files as an ADS. The latest version copies a clean Windows system executable to application data folder and then adds a copy of itself as an ADS stream to that copy of clean executable file . This can evade security tools that are not able to look into ADS. The file name of the copy of the clean executable is usually 8 character with “~1” at the end ie .”SOWI3D~1”. In this version of BitPaymer, , the name of the ADS is “:bin”, while versions of the malware is “:exe” .So, the file name in this case is ”SOWI3D~1:bin”, where bin is the copy of the malware hidden as an ADS . You can only see “SOWI3D~1” as the file name when using Windows Explorer or file browsing tools like Far Manager.
After adding itself as an ADS to the copy of the clean Windows system executable, the malware launches the copied executable.
Fig: process created from ADS
The ransomware also tries to delete backup files like other ransomware. Most ransomware is known to use only VSSAdmin to delete the shadow copies but this one also seems to use “diskshadow.exe”.(note: shadow copies are used for the purpose of backup). The malware then executes the following commands to delete backups.