FriedEx graphic

The authors of the infamous Dridex banking trojan and the Necurs spam botnet appear to have also created the FriedEx ransomware, according to an ESET report released earlier today.

If the name FriedEx confuses some of our readers, this is the codename under which ESET detects a ransomware previously known as Bit Paymer or BitPaymer.

This ransomware was discovered by security researcher Michael Gillespie in July 2017, and the ransomware made headlines in August when crooks used it to lock the IT systems of several Scottish hospitals.

While FriedEx is the name that ESET uses, most users will refer to it as Bit Paymer, as this is the text that appears in the ransom notes, and the term that most users will use when searching for help online. Nonetheless, out of respect for ESET's research, we'll be referring to it as FriedEx for this article.

ESET unearths evidence linking Dridex to FriedEx

According to a report published today, ESET claims there are countless of clues in FriedEx samples that link it to the Dridex banking trojan.

Below is a summary of all of ESET's findings, linking the two malware families together.

≡  Both Dridex and FriedEx are compiled in Visual Studio 2015.
≡  Same PDF path (S:\Work\_bin\) (suggests both were compiled on the same system) (ESET says a search of its entire malware database revealed that only Dridex and FriedEx used this PDB path).
≡  Several Dridex and FriedEx samples featured the same date of compilation.
≡  Other samples featured compilation dates only minutes apart.
≡  Same order of functions in binaries (occurs when the same codebase or static library is used in multiple projects).
≡  Dridex and FriedEx use the same malware packer (also used by QBot, Emotet, and Ursnif).
≡  Constants that are supposed to be randomly generated are identical in some Dridex and FriedEx samples.
≡  Many similar blocks of code (see images below).

"With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers," said Michal Poslušný, the ESET malware analyst behind this research.

Comparison of GetUserID function present in both Dridex and FriedEx samples
Comparison of GetUserID function present in both Dridex and FriedEx samples
Comparison of function order in Dridex and FriedEx samples. Functions that are missing in the other sample are highlighted in the corresponding color
Comparison of function order in Dridex and FriedEx samples. Functions that are missing in the other sample are highlighted in the corresponding color Caption
List of all PDB paths found in the Dridex and FriedEx projects
List of all PDB paths found in the Dridex and FriedEx projects
GetAPIByHash function in Dridex samples with compilation time difference of 3 days. The highlighted constant is different
GetAPIByHash function in Dridex samples with compilation time difference of 3 days. The highlighted constant is different
GetAPIByHash function in Dridex and FriedEx binaries compiled the same day. The highlighted constant is the same in both samples
GetAPIByHash function in Dridex and FriedEx binaries compiled the same day. The highlighted constant is the same in both samples
Rich header data found in Dridex and FriedEx samples
Rich header data found in Dridex and FriedEx samples

Related Articles:

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Largest Cyber Attack Against Iceland Driven by Complex Phishing Scheme

Windows 10 Ransomware Protection Bypassed Using DLL Injection

New Reports Show Increased CyberThreats, User Risks Remain High

The Week in Ransomware - October 5th 2018 - Restaurant Shutdowns & Exploit Kits