October 22, 2019

Business-to-business payments provider Billtrust is still recovering from a ransomware attack that began last week.  The company said it is in the final stages of bringing all of its systems back online from backups.

With more than 550 employees, Lawrence Township, N.J.-based Billtrust is a cloud-based service that lets customers view invoices, pay, or request bills via email or fax. In an email sent to customers today, Billtrust said it was consulting with law enforcement officials and with an outside security firm to determine the extent of the breach.

“Our standard security and back-up procedures have been and remain instrumental in our ability to execute the ongoing restoration of services,” the email reads. “Out of an abundance of caution, we cannot disclose the precise ransomware strains but will do so as soon as prudently possible.

In an interview with KrebsOnSecurity on Monday evening, Billtrust CEO Steven Pinado said the company became aware of a malware intrusion on Thursday, Oct. 17.

“We’re aware of the malware and have been able to stop the activity within our systems,” Pinado said. “We immediately started focusing on control, remediation and protection. The impact of that was several systems were no longer available to our customers. We’ve been fighting the fight, working on restoring services and also digging into the root cause.”

A report from BleepingComputer cites an unnamed source saying the ransomware strain that hit Billtrust was the BitPaymer ransomware, but that information could not be confirmed.

One of Billtrust’s customers has published a day-by-day chronology of the attack and communications from the company here (h/t @gossithedog).

Pinado said Billtrust had restored most of its systems, and that it was in the process now of putting additional security measures in place. He declined to discuss anything related to the ransomware attack, such as whether the company paid a ransom demand in exchange for a key to unlock files scrambled by the malware, although he allowed Billtrust does have cybersecurity insurance for just such occasions.

Billtrust recently teamed up with Visa to launch the Billtrust Business Payments Network, an effort to digitize payments between businesses.

Cloud service providers are a favorite target of attackers who deal in ransomware. In August, Wisconsin-based PerCSoft paid a hefty ransom to get out from beneath an attack that separated hundreds of dental offices from their patient records.

In July, attackers hit QuickBooks cloud hosting firm iNSYNQ, holding data hostage for many of the company’s clients. In February, cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.


39 thoughts on “Ransomware Hits B2B Payments Firm Billtrust

  1. The Sunsine State

    In the months and years ahead , ransomware attacks like this will continue to occur until big companies that have a online presence, take cyber-security a lot more seriously.

  2. J. Peterson

    Is this a case where the victim was actually able to recover with their own backups and no ransom was paid? Let’s hope..

  3. Dennis

    Of course, they paid the ransom. Otherwise they’d have said it.

    And when will companies stop giving us all that BS in their press releases, like its some high stakes Hollywood drama. Just say it like it happened, “Carroll in accounting couldn’t resist opening the fake FedEx shipment-missed phish and we got hacked. On top of that our outdated backups system wasn’t up to the task and was also encrypted.”

    1. Gunt

      In the corporate world truth, especially about something that can be perceived as a failure is as toxic and radioactively dangerous as plutonium, as it opens the person responsible up to a tarnish reputation.

      So the default is to lie, downplay, minimise and move on, and since it is very difficult to leverage legal penalties against entities as enormous and protected as large corporations nothing changes and the people responsible for this get off scott free.

      I can imagine the meeting where a Sys admin talked at length about the importance of good backups while whoever was responsible for the money that would entail just nodded while not hearing a single thing, already having decided to dismiss this person out of hand.

      1. Richard

        The most effective people in business today possess 110-ohm noses. They are striped brown-brown-brown per the resistor code from kissing ass. Competent, professional, and ethical they are usually not.

        1. Wayne

          Kudos for the color-coded geekiness! It’s been a long time since I thought about that, something that I’d like to get back in to.

        2. Mikey Doesn't Like It

          Talk about a blast from the past.

          I’d almost forgotten about resistors… capacitors… inductors… diodes…

          I’d rather forget about ransomware, BEC and hacking. But alas, too many companies apparently already have. Which is why we’re seeing these stories.

          Sad.

        3. vb

          Thanks for the engineering slang. That must date back to the space program.

          1. santa claus

            Bad Boys Rape Batman On Yon Gotham Bridge Get Some Now…

            kudos if you have idea what I’m talking about…

            1. Resistor? I Hardly Knew Her

              We always learned it as:

              Bad Booze Rots Our Young Guts But Vodka Goes Well

              “Get Some Now” is typically added from the tolerance bands, right? Gold, Silver, None? Wow… talk about a trip down memory lane.

              1. Dave Horsfall

                There’s also a sexist version, and apologies for repeating it (but it is a part of history):

                Bad Boys Rape Our Young Girls But Veronica Goes Willingly.

                Heck, it’s what we were taught back in those days…

      2. Mohan

        Absoluyely. We as customers are only safe till our data is hacked.

    2. Readership1

      There’s no reason why any single employee’s login information should be granted systemwide access, whether it’s Carol in accounting or James in IT.

      A press release admitting to such incompetent management would kill a business.

      1. Wayne

        I worked for a major police department in IT back in the ’90s, initially one of 3 network administrators, literally holding all the keys to the Windows network.

        We physically had two computers: one had admin access to the network and servers, but no internet access or email. The other was our daily “do stuff” computer with internet access and email. And a physical KVM switch for going between them, or sometimes two monitors, keyboards, mice. NT on both boxes.

        (we also had a hard-wired network with a switch and ethernet cables hanging from the ceilings. On Fridays we’d hit the roach coach, grab a sandwich, reboot our computers, then play Quake or Outlaws or Rainbow Six or some other shooter for an hour or two and shoot the crap out of each other)

        I happened to see the Slashdot article when I came in at 7am that announced the I Love You attack hitting the east coast (we were a western time zone), and we immediately pulled the internet cable to our firewall and just disconnected external connections. That malware pretty much didn’t do anything to us, but the City, our upstream connection, got creamed.

        1. Clay_T

          We were running NT4 at the time (no native VBS support) so we were immune.
          All, except for the GM and SM, who had W9something on their laptops.
          GM’s came from the company owner so ‘it had to be ok, right?’
          SM’s excuse: It came from a guy she had a first date with over the weekend.

          I remember opening that skript Monday morning and thinking ‘this is going to be big’.

          One of our customers did marketing… lots and lots of JPEG’s.
          They got wrecked.

      2. Anon404

        Carol in accounting doesnt need system wide access. Access to her PC is all that is needed for privilege escalation to SYSTEM and then from there capturing who knows how many password hashes. Then its just a matter of time before you get a domain admin account.

        1. Readership1

          If she’s tied in only to the company intranet, there’s minimal risk. Carol doesn’t need outside Internet or USB ports to perform her duties. She needs a terminal and a potted plant, nothing more.

          You don’t need to give every employee Internet access at their desk.

          In any organization, there’s a handful of department heads that need to deal with the public and outside companies. Those few can be provided with separate computers for that purpose.

          Again, if you separate your intranet from the Internet, and limit the number of employees with the access control to do damage, you limit the risk.

          This idiocy of hooking up every employee to broadband and company wifi is also a huge productivity suck, aside from the security aspect. Set up a short-range guest wifi, completely separate from the company network, in a lounge, if you feel it helps morale. They can wait for their breaks to check cat videos.

          1. Grant

            Additional computer for Internet access isn’t necessary. Take a look at Isla (Airgap) by CyberInc (Spikes). Float a [non-domain joined] laptop around that connects only to guest WiFi (no eth ports) for folks that need webinar access, training, etc.

  4. Sarusa

    If an internet or financial company has ‘Trust’, ‘Veri’, or ‘Secure’ in its title… it’s not. It’s like how legislature is always named the opposite of what it actually does.

    I know this is just a short list.

    1. dmarc

      Billtrust started as a billing service (outsourcing the tedious task of mailing/emailing thousands of customers invoices). They take electronic files from many companies and reliably deliver invoices (unlike some other servicers). The problem for the companies that outsourced that task is their invoices aren’t making it to their customers/dealers, That will slow cash flow for many companies Many of them aren’t getting info on whats happening and can’t get Billtrust to respond because they’re probably swamped now.

  5. Jack

    The fbi will arrest some random guy from the street and put the blame on him so plebs can be happy the problem is solved

  6. JimV

    It’s very likely they won’t be changing the company’s brand name, but clients in the future should probably think of it as having an asterisk linked to a note stating “exceptions may apply”…

  7. acorn

    “…said the company became aware of a malware intrusion on Thursday, Oct. 17″

    CBL detection on IP address 192.69.130.11, October 17 2019. … if ” NOT a shared hosting IP address, this IP address is infected with/emitting spamware/spamtrojan…”

  8. TimH

    I bet they paid the ransom.

    Their statement “Our standard security and back-up procedures have been and remain instrumental in our ability to execute the ongoing restoration of services” actually doesn’t say that the systems were recovered from backups, when the wording to say explicitly that would have been more natural.

    Lying by omission is one of the more personally insulting deceptions, because it presumes the audience is stupid.

    1. Rob

      Everything indicates they restored systems and services from backups. It took 4+ days for some products to come back online and in flight data rolled back at least 24 hours.

  9. ACL

    Backup solutions have improved over the years. I don’t think people should wait 4 days anymore to get their systems restored. “Instant Restores” are a real thing and you can get a server up and running in minutes from a previous backup.

    What I’m noticing more and more is the wrong people in charge of infrastructure and production environments. Leadership must wake up and realize these risks are part of day to day business now.

    1. Mohan

      Absolutely. Incompetent and clueless people are in charge of network security. Else, how would so many personal data heists have happened such as Evite, LInkedin, etc,. Storing customer data in plain text is downright criminal. Add to this the data is stored on servers outside the firewall in many cases.
      Basically, its the cost of security that leads CFO’s and CEO’s to reduce / do away with network security.

  10. JCitizen

    I get so tired if these incidents, and the lazy stupidity of the victims. Sure if it happened to grandma down the street, I’d have some sympathy, but ransomware is PREVENTABLE!!

    Before Foolish-IT quit supporting the free version, I tested their CryptoPrevent against any and all malware attacks I could find off junk email accounts where it is easy to find examples that are still zero day. In EVERY CASE – the MALWARE FAILED to gain permission to encrypt the hard drive.

    What are they going to have to do? Make a law that you go to jail for incompetent ineptitude in protecting monetary related files? Personally I’d like to see these network execs going to jail for this! I realize the criminal caused it – but you are guaranteed to get hit if you don’t take the specific steps it takes to prevent ransomware – they act like this just happens to other organizations and not them. S-T-U-P-I-D!!!!!!!!

    It is time they learned that responsibility for leaving the bank vault door open to all comers will cost them their freedom! I see it as the same thing.

    1. Readership1

      We need less laws, not more.

      If a company lies or withholds information you want disclosed, hire a different company for the service you need or complain loudly.

      But don’t make the mistake of believing that more government would help. It’s just as likely to take notice of you with deadly force.

  11. Jim

    Excellent story, not even mentioned in the news in my local colleges towns that I’ve been visiting. So how many of you caught the bat boy again, but missed this. That’s from colleges in electronics, computers and finance, where the newest and the brightest are coming from. Oh, and communications, but it wasn’t one of our local companies, but, what is local now?

  12. Mohan

    Incompetent management and a desire to save time and money on stricter processes including lack of backup data.
    With on-premise systems, large and mid-sized enterprises used to have their own network security in place.
    With the advent of cloud bases services, the cloud service providers are absolutely lax in setting up and maintaining a strong and bullet proof security system in place.
    Earlier, there were breaches at Target, Neiman Marcus.
    Also, many companies used to store customer data in plain text format instead of encrypting them.
    Aslo, data scrapers are allowed to be installed on so many POS I wonder whether there is a firewall and whether it has been setup porperly.
    Lastly, why should employees be provided access to all the core systems. Work stations should only be provided access to key/ required domain access and addresses and not the WWW at large.
    Also, block links and attachments from being clicked on in email messages.

  13. PR Apurva

    I think, we need to consider the option of separating external email communication systems from internal communication systems.

    By that I also mean the use of separate encryption systems for internal and external connections. If the internal connections/communications run on a different encryption keys – which can again be dynamic – the chances of an external entity of entering and damaging company networks should get limited.

  14. John Laven

    We have remediated over 120 ransomware this year, and only half of the affected organizations decided to implement a risk management program.

  15. Cheryl Christensen

    Invoice Central ‘Pay anyone’ still not online yet!! I have 25 checks from 10/17 thru present that have not been sent and I cannot afford to pay my vendors with my own check and then have Invoice Central send the outstanding checks. I cannot get any answers out of Invoice Central and it’s been 3 weeks tomorrow since the attack! VERY FRUSTRATED! Any suggestions???

Comments are closed.