Cyber Incident Victim: Billtrust
Date:
Oct 2019
Location:
United States of America
Summary
A U.S. financial services provider experienced a widespread service outage following a malware attack impacting its computing systems, disrupting customer invoicing and online bill payment portals. The company engaged federal law enforcement and cybersecurity firms for investigation and remediation, confirming no customer data compromise while working to restore operations from backups amid the extensive disruption. A third-party source indicated ransomware involvement, specifically BitPaymer, aligning with recovery efforts utilizing backup systems to resume normal services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Billtrust, a U.S. financial services provider specializing in billing and payment solutions, experienced a widespread service outage beginning on or around October 17, 2019, following a malware attack that compromised portions of its computing infrastructure. The company did not publicly disclose the incident, but details emerged through a service interruption notice published by Wittichen Supply Company, one of Billtrust's customers. This notice, issued after Billtrust notified Wittichen on October 17, stated that the vendor was "the subject of a Malware attack" and had engaged federal law enforcement and cybersecurity firms to investigate and remediate the situation. The attack rendered all Billtrust services inoperable, preventing customers like Wittichen from delivering invoices or providing online bill payment portals to their clients. Billtrust assured affected customers that no customer data was compromised during the incident, attributing the prolonged restoration timeline to the substantial volume of data requiring processing.
By October 18, 2019, Billtrust began issuing operational updates, with a 6:00 P.M. ET communication outlining which services remained functional and which were still impaired. Restoration efforts progressed systematically, with the company confirming to Wittichen by October 21 that forensic software had been deployed across most systems. Billtrust emphasized its regular data backup practices during these communications, a factor that proved critical to recovery. Although the company did not formally identify the malware variant, a source familiar with the incident informed BleepingComputer that BitPaymer ransomware was responsible for the attack. This assessment aligned with Billtrust's subsequent restoration of affected systems from backups, a common remediation strategy in ransomware incidents where attackers encrypt critical data. The outage persisted for multiple days, disrupting financial operations for Billtrust's client base during the recovery period.