The authors of the infamous Dridex banking trojan and the Necurs spam botnet appear to have also created the FriedEx ransomware, according to an ESET report released earlier today.
If the name FriedEx confuses some of our readers, this is the codename under which ESET detects a ransomware previously known as Bit Paymer or BitPaymer.
This ransomware was discovered by security researcher Michael Gillespie in July 2017, and the ransomware made headlines in August when crooks used it to lock the IT systems of several Scottish hospitals.
While FriedEx is the name that ESET uses, most users will refer to it as Bit Paymer, as this is the text that appears in the ransom notes, and the term that most users will use when searching for help online. Nonetheless, out of respect for ESET's research, we'll be referring to it as FriedEx for this article.
ESET unearths evidence linking Dridex to FriedEx
According to a report published today, ESET claims there are countless of clues in FriedEx samples that link it to the Dridex banking trojan.
Below is a summary of all of ESET's findings, linking the two malware families together.
≡ Both Dridex and FriedEx are compiled in Visual Studio 2015.
≡ Same PDF path (S:\Work\_bin\) (suggests both were compiled on the same system) (ESET says a search of its entire malware database revealed that only Dridex and FriedEx used this PDB path).
≡ Several Dridex and FriedEx samples featured the same date of compilation.
≡ Other samples featured compilation dates only minutes apart.
≡ Same order of functions in binaries (occurs when the same codebase or static library is used in multiple projects).
≡ Dridex and FriedEx use the same malware packer (also used by QBot, Emotet, and Ursnif).
≡ Constants that are supposed to be randomly generated are identical in some Dridex and FriedEx samples.
≡ Many similar blocks of code (see images below).
"With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers," said Michal Poslušný, the ESET malware analyst behind this research.
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at firstname.lastname@example.org. For other contact methods, please visit Catalin's author page.