Home / Industry

Billtrust Breach: Can Threat Intelligence Platforms Help with Ransomware Prevention?

Highly publicized ransomware attacks are never short of golden nuggets of wisdom for the cybersecurity industry.

They first teach us that attackers control the rules of the game once infiltration is complete. Second, large enterprises that use cloud-based technologies to store sensitive financial information continue to be at risk. Finally, there’s nothing much an organization can do besides restoring files using backups (when these remain available) in the event of a ransomware attack.

This last nugget seems to be the case for multiple victims, such as cloud-based billing service provider Billtrust. The business-to-business (B2B) payment vendor is reeling from the effects of a ransomware attack back in October, which disrupted its operations for four days. The company has since restored services and claimed to be working with law enforcement and a private security firm to investigate the data breach.

The Role of Threat Intelligence Platforms in Ransomware Prevention

While Billtrust did not disclose the specific ransomware strain that hit its network, some sources alleged that BitPaymer was responsible for the incident. Independently of the actual malware used, what’s common is for ransomware strands to be delivered as a secondary payload.

Usually, threat actors first conduct reconnaissance on a target’s network for vulnerabilities to exploit before sending the phishing email with the appropriate malicious attachment or download link—typically redirecting users to a website where the malicious script is hosted.

Scripts are often used to scan the target network for other vulnerabilities or brute-force their way into systems with weak passwords to obtain high-privilege credentials. More sophisticated malware applications spread laterally throughout a target network. Regardless of the means used, once hackers gain unauthorized access, they can manually install a ransomware into a connected computer.

In short, vulnerabilities play a massive role in the success of ransomware attacks. One way to stay ahead is by integrating a threat intelligence platform into organizations’ intrusion prevention systems (IPSs).

Our Investigative Tools: Threat Intelligence Platform

Threat Intelligence Platform can be used to assess a domain’s vulnerability based on its hosting configuration. With it, users can determine if their domains possess known vulnerabilities such as invalid Secure Sockets Layer (SSL) certificates or dangling records.

The platform provides color-coded ratings (i.e., green, blue, orange) for a particular website metric. Using Billtrust’s website (i.e., www.billtrust.com) as an example, you’ll see in TIP’s report that it has several warnings concerning its mail servers and SSL configuration.

The report also retrieved the following list of domains hosted on the same IP address:

We randomly picked a domain from the list, 11412.tradebig[.]com, and saw that it had multiple SSL vulnerabilities and an invalid SSL certificate:

Analyzing other domains on the list showed additional warnings including scripts opening to other websites (which may or may not be dangerous).

While we’re not claiming that any of these online properties are malicious, you may want to avoid associations with them as their vulnerabilities may backfire on you.

Some websites (not on the above list), however, do have recorded ties to malware such as “4sharedtrend[.]com”—do not visit or share—that has been flagged on Yandex Safe Browsing, a known malware-checker data feed:

* * *

All in all, ransomware applications are extremely difficult to decrypt even with advanced forensic tools. To avoid falling victim to them, infosec professionals can gain more in-depth visibility into their networks and the threat landscape in general.

Threat Intelligence Platform can aid them in monitoring sites connecting to new strains and protecting potentially vulnerable endpoints. Reports from the tool include a variety of data points like connected IP addresses and SSL certificates. What’s more, it may inform you about a host’s website content, WHOIS records, and mail and name servers.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global