A relatively new ransomware that infected Scottish hospitals last summer appears to be created by the same developers who are responsible for the dreaded Dridex banking trojan.
Commonly known as BitPaymer, the ransomware has now earned the moniker FriedEx due to its newfound affiliation, with which its shares similar code and techniques to conceal information about it behavior, according to researchers from ESET.
Just like its banking Trojan cousin, BitPaymer “resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc.,” states Michal Poslusny, ESET malware researcher, in a company blog post. “The resulting binary is very low profile in terms of static features and it's very hard to tell what the malware is doing without a deeper analysis.”
Upon further investigation, ESET learned that the FriedEx code also uses many of the same functions as Dridex does (including one for generating a unique UserID identifier for victimised machines), and even orders these functions within the malware binaries the same way.
ESET also found samples from both malwares that use the same PDB (Program Database) path. Moreover, certain Dridex and FriedEx samples have the same or nearly synchronous date-of-compilation timestamps, with identical randomly generated constants – which suggests that they were likely compiled concurrently.
If that wasn't enough proof that the two are related, both malwares are compiled in Visual Studio 2015.
“With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers,” the blog post concludes. “This discovery gives us a better picture of the group's activities – we can see that the group continues to be active and not only consistently updates their banking Trojan… [but] also follows the latest malware trends, creating their own ransomware.”
According to ESET, FriedEx/BitPaymer is focused on high-profile targets and companies, and is typically delivered through an RDP (Remote Desktop Protocol) brute force attack. Discovered in July 2017, the ransomware would soon after infected several hospitals operated by Scotland's NHS Lanarkshire health care board.
Dridex first debuted in 2014, and it is estimated that the trojan is directly responsible for hundreds of millions of dollars in losses over the years. The Trojan recently evolved to include support for webinjects into Chrome version 63, and to perform a code injection technique called AtomBombing.