Delaware, USA – November 5, 2019 – Ransomware operators continue to attack organizations in European countries. Three weeks after the attack on Pilz, a German automation technology company, adversaries turned their attention to Spain and encrypted systems in two companies. More information is currently known about the attack on Everis, one of the largest managed service providers in Spain. Their systems were infected with a specially crafted version of BitPaymer ransomware, which added the .3v3r1s extension to encrypted files and demanded €750,000 for the decryption key. The company disabled its network and warned employees not to turn on their PCs. According to BleepingComputer publication, a BlueKeep exploit may have been involved in this attack, but so far there is no evidence. This version is supported by the fact that the internal network of the company is down and attackers could use one of the unpatched RDP vulnerabilities to spread across the network.
The second victim of cybercriminals is Cadena SER, the radio station network. It has not yet been reported which ransomware strain was used, but it is possible to draw parallels between the attack on Pilz and these attacks, and assume that the Cadena SER systems were also infected with BitPaymer ransomware: on the day the German company was encrypted, the adversaries also made a less successful attempt to attack France’s largest privately-owned multimedia group – M6. We are waiting for updates and preparing for new attacks by the authors of Dridex trojan. You can use the community rules available on Threat Detection Marketplace to uncover activity of Dridex trojan and clear systems before it drops BitPaymer infection: https://tdm.socprime.com/tdm/info/GN1qQlT3qRCj/