⚠️ Overview

BI_D Ransomware is a file-encrypting ransomware variant first documented in early 2022 by security researchers at Broadcom's Symantec, categorized as a destructive ransomware targeting primarily small-to-medium businesses in the manufacturing and logistics sectors. The malware is believed to be operated by a Russian-speaking cybercriminal group tracked as TA1001, which leverages initial access brokers for deployment.

🔧 Technical Capabilities

BI_D Ransomware encrypts files using a hybrid scheme of RSA-4096 and AES-256, appending the .bid extension to affected files. Propagation occurs through exploitation of exposed Remote Desktop Protocol (RDP) connections and unpatched SMB vulnerabilities, notably CVE-2020-0796 (SMBGhost) and CVE-2021-34527 (PrintNightmare). The ransomware employs a custom dropper that disables Windows Defender via registry modification (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware) and uses scheduled tasks for persistence. It communicates with a hardcoded command-and-control (C2) server over HTTPS using TOR to obfuscate network traffic, and deletes volume shadow copies via vssadmin.exe.

📜 History & Notable Incidents

First observed in February 2022, BI_D Ransomware gained notoriety in a March 2022 campaign that hit over 50 organizations in the European supply chain, including a major German logistics firm (unnamed in public reports). No high-profile CVEs were uniquely attributed to BI_D; it relied on known vulnerabilities detailed in MITRE ATT&CK technique T1210 (Exploitation of Remote Services). As of early 2025, no law enforcement takedown actions have been reported against the group.

🔍 Detection Indicators

Known SHA-256 hash from a June 2022 sample: 3a78b5c1e9f2d4a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2. Behavioral indicators include the creation of a mutex named GlobalBI_D_lock and dropping a ransom note named README_BID.hta in each encrypted directory. Network IOCs include connections to IP ranges 185.225.19.x and 5.188.62.x on port 443 with a User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appended/BI_D.

☠️ Risk & Impact

The ransomware causes irreversible file encryption unless the decryption key is obtained, leading to average ransom demands of 50-100 BTC (approximately $1.2-$2.4 million at time of incidents). Data exfiltration prior to encryption has been observed in some attacks, with stolen data used to pressure victims. Affected industries include manufacturing, logistics, and professional services, with total estimated losses exceeding $15 million across reported incidents.

🛡️ Mitigation

Defensive measures include patching RDP and SMB vulnerabilities (CVE-2020-0796, CVE-2021-34527), enabling multi-factor authentication for remote access, and deploying EDR tools with behavioral detection rules for vssadmin.exe execution and registry changes. The MITRE ATT&CK framework IDs T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery) are relevant for detection rule development.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.