The infamous Dridex banking Trojan has now shifted towards ransomware in its FriedEx (also known as BitPaymer) variant.
Image Source: ESET
“Dridex has been a nightmare for computer users, companies and financial institutions for several years now, so much so that for many, it has become the first thing that comes to mind when talking about banking trojans”, ESET researchers said. According to their most recent findings, the authors of Dridex have also developed another high-profile malware family – the FriedEx ransomware, detected as Win32/Filecoder.FriedEx and Win64/ Filecoder.FriedEx.
This ransomware was previously known as BitPaymer, which was discovered by Michael Gillespie and was active in the summer of 2017.
BitPaymer is a cryptovirus that most likely was aimed mainly at corporations and big firms. The ransomware is coded to put the extension .locked to all files after the encryption process is finished along with a text document containing the ransom note instructions for each encrypted file. The BitPaymer virus demanded the ransom sum of 50 Bitcoin while posing an empty threat that the target’s files will get leaked on the Web.
In August, 2017 BitPaymer was targeting NHS hospitals in Scotland. FriedEx, however, appears to be targeting more high-profile companies and is mainly delivered via an RDP brute force attack.
According to ESET researchers, the ransomware encrypts each file with a randomly generated RC4 key, which is then encrypted using the hardcoded 1024-bit RSA public key and saved in the corresponding .readme_txt file.
In December 2017, the researchers closely analyzed the FriedEx samples and noticed the similarity in the code to Dridex.
Intrigued by the initial findings, the researchers “dug deep into the FriedEx samples, and found out that FriedEx uses the same techniques as Dridex to hide as much information about its behavior as possible”.
What does this mean? The ransomware resolves all system API calls, stores all strings in encrypted mode, searches for registry keys and values by hash. The result is a very low-profile binary which makes it difficult to tell what malicious activities are taking place. The covert behavior made researchers look deeper for further analysis, which led to a number of additional similarities. The conclusion is that the two malware families are designed by the same developers.
Researchers were also able to find several instances of Dridex and FriedEx which were compiled at the same time. This may have been a coincidence if it weren’t for all the other resemblances. In addition:
Not only do the compilations with the same date have time differences of several minutes at most (which implies Dridex guys probably compile both projects concurrently), but the randomly generated constants are also identical in these samples. These constants change with each compilation as a form of polymorphism, to make the analysis harder and to help avoid detection.
FriedEx Ransomware Removal Instructions
If your computer got infected with the FriedEx ransomware, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it gets chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.