BitPaymer attack has blocked the work of the industrial giant Pilz one of the largest manufacturers of industrial automation tools

Pilz GmbH & Co. KG
GmbH & Co. KG
Industry Automation technology
Founded 1948


Revenue 338 Mio. EUR (2017)[2]
Number of employees
2,346 (2017)[3]
Subsidiaries 40

was forced to shut down most of its systems after an attack by the BitPaymer cryptographer. The incident affected all Pilz facilities in 76 countries around the world, which lost contact with the main network for more than a week.
Pilz attack investigation

According to the organization, the problems began on October 13. Although the production lines themselves were not affected, workflows were disrupted due to failures in order service systems. It took employees three days to recover the email. Access to delivery systems of production appeared only to October 21.

Experts linked the incident to the cryptographer BitPaymer, which was marked by attacks on the district administration in Alaska, the company Arizona Beverages, French TV channel M6. Earlier this month, researchers reported that the malware infiltrates corporate infrastructure through 0-day in the Bonjour utility for iTunes.

As told to journalists a leading analyst of FoxIT Maarten van Dantzig (Maarten van Dantzig), after the attack on Pilz on VirusTotal found distribution BitPaymer with the same ransom demand, which received employees of the industrial giant. The researcher pointed out that the current incident fits into the pattern of behavior of the cryptographer — his operators prefer massive campaigns to hunt for single targets. The attackers demand large sums of money from such victims — up to a million dollars.
Bitpaymer and Dridex communication

Analysts believe that BitPaymer could have been created by the same people who run the Dridex Trojan. In recent years, the cryptographer has used the power of this malware to search for victims — criminals deliver Dridex with malicious spam, identify corporate users among the affected targets and deploy ransomware on their machines.

Similar cooperation links other players in the cybercrime market.

For example, the Ryuk cryptographer is often found on computers after Emotet and TrickBot attacks.

Thus, companies that have encountered ransomware need to carefully check their infrastructure for the presence of other malware. Otherwise, criminals can strike again – according to van Danzig, such cases have already been met in the practice of is experts.
The specifics of the current threats to the industry

As a recent Kaspersky study showed, industrial companies are facing increasing pressure from cybercriminals. This is evidenced by the fact that in the first half of this year, the share of attacked computers of the automated control system practically did not change compared to the second half of 2018. At the same time, the number of malicious programs in industrial systems increased by 10% during the reporting period.

In turn, Europol analysts noted the growing share of targeted campaigns of malicious cryptographers. According to experts, in the first half of this year in the industrial sector, the number of Viper attacks that sabotaged production processes doubled.