Business Continuity Management / Disaster Recovery , Cybercrime , Fraud Management & Cybercrime

Report: Billtrust Recovering From Ransomware Attack

A Customer of Cloud-Based Payment Provider Provides Some Details
Report: Billtrust Recovering From Ransomware Attack

Billtrust, a cloud-based, business-to-business payment provider, reportedly is continuing to recover from a ransomware attack that crippled its IT systems.

See Also: Ransomware Response Essential: Fixing Initial Access Vector

Billtrust President Steven Pinado told security blogger Brian Krebs that the company was hit by a ransomware attack on Oct. 17 and was still attempting to recover the affected systems as of Wednesday.

The company's clients do not have access to all of Billtrust's systems, but customer data has not been affected, according to a series of updates posted by Wittichen Supply Co., a Billtrust client that’s providing some insights on the recovery process.

Pinado declined to say if Billtrust will pay a ransom to receive the decryption key, although he noted that company carries cyber insurance, Krebs reports.

"We're aware of the malware and have been able to stop the activity within our systems,” Pinado told Krebs. "We immediately started focusing on control, remediation and protection. The impact of that was several systems were no longer available to our customers. We've been fighting the fight, working on restoring services and also digging into the root cause."

Pinado said Billtrust is working with law enforcement as part of the investigation.

Billtrust did not immediately respond to a request for comment on Wednesday. In a recent announcement, Billtrust said it has processed some $30 billion in ACH and card payments over the first nine months of this year.

Customers Notified

Billtrust began notifying customers of the incident last week before its president discussed the breach with Krebs.

Wittichen Supply Co. said in its updates that Billtrust noted that credit applications for its Billtrust Credit, Billtrust eCommerce, Billtrust Virtual Card Capture and other services were shut down due to the ransomware attack.

"Billtrust systems continue to come back online, and we are in the process of catching up the missing data from the outage," Wittichen told its customers in a Monday update.

“A source familiar with the matter” told BleepingComputer that the Billtrust was hit by the BitPaymer ransomware.

In his interview with Krebs, Pinado declined to discuss the specific ransomware involved in the attack.

Surging Ransom Demand

Security experts note that threat actors are using ransomware attacks to make larger ransom demands.

For example, on Oct. 13, the German-based automation tool manufacturer Pilz suffered a ransomware attack that affected its global communication network, the company disclosed. ZDNet reports the Pilz attack was carried out by BitPaymer ransomware.

While BitPaymer has been active since 2017, Symantec did the first in-depth study of the ransomware in July. The security firm describes it as a Trojan that encrypts files on a victim's computer before demanding a ransom, according to the report.

A Profitable Market

A report released earlier in October by the security firm Emsisoft notes that in the first three quarters of this year, more than 600 ransomware targeted local governments, school districts and healthcare providers across the U.S. (see: Just How Widespread Is Ransomware Epidemic?)

Speaking about the growing challenges posed by ransomware attacks, Emsisoft CTO Fabian Wosar notes that threat actors are increasingly leveraging ransomware attacks as it as it become a lucrative means to fleece businesses and other organizations.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.