BitPaymer Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 1 |
| First Seen: | July 12, 2017 |
| Last Seen: | December 27, 2018 |
| OS(es) Affected: | Windows |
The BitPaymer Ransomware is an encryption ransomware Trojan. Like other Trojans of the same type, the BitPaymer Ransomware is designed to encrypt its victims' files with a strong encryption algorithm. The BitPaymer Ransomware will then demand that the victim pays a large ransom to recover the affected data. The BitPaymer Ransomware denies access to the data, essentially taking the victim's files hostage. The BitPaymer Ransomware seems to be used mainly to attack business networks and Web servers, rather than individual computer users. The most common way in which the BitPaymer Ransomware is delivered to the victims is by taking advantage of poorly protected RDP (Remote Desktop Protocol) connections and Web access panels. Weak passwords and other vulnerabilities can allow third parties to access the victims' computers to install the BitPaymer Ransomware or other threats.
BitPayer, is also known as the ransomware variant DoppelPaymer. Once infiltration onto a system is complete, BitPaymer/DoppelPaymer encrypts commonly used files, and it appends them with the .locked extension. Updated variants of this threat may use the .lock extension for any encrypted files. Data becomes essentially unusable once compromised by the ransomware, with the threat creating a text file for each encrypted file appended with the .readme_txt addition to the name of the original file.
The files contain identical messages letting the victims know of the encryption and pushing them to contact the developers of BitPaymer/DoppelPaymer for more instructions on how to get their files back in their original state. Opening the files can be a bit difficult though since they are renamed and appended with the .readme_txt extension, so they need to be renamed again in order to access the text file, for example, sample.jpg.readme_txt has to be renamed to sample.txt to make it readable.
How the BitPaymer Ransomware Infection Process Works
The people responsible for infections like the BitPaymer Ransomware will monitor networks' access points for vulnerabilities frequently, using a variety of exploits to gain access. Once they have managed to infiltrate the victim network, they will install the BitPaymer Ransomware on as many computers as possible, and encrypt the victims' data. The victims will then be asked to pay a large ransom to recover the affected files. The BitPaymer Ransomware will encrypt all files on local drives, removable memory devices on the infected computer, or directories shared on a network. The files infected by the BitPaymer Ransomware will become inaccessible and easily recognized by the file extension '.locked,' which is added to the end of each targeted file.
The BitPaymer Ransomware's Ransom Note and Payment Method
As soon as the BitPaymer Ransomware encrypts the victim's files, it will display a ransom note on the victim's computer, which takes the form of a text file. The full text of this ransom note reads as follows:
'YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED!
All files are encrypted. We accept only bitcoins to share the decryption software for your network.
Also, we have gathered all your private sensitive data.
So if you decide not to pay anytime soon, we would share...
***'
When the victims follow the instructions in this ransom note, they will be greeted with the following message:
'Welcome to the ransom page!
To get the decryption software and the private key for every single infected computer in your network please follow the on-screen instructions on how to buy and send the Bitcoin's:
1. Please register a Bitcoin wallet. Here are the options:
- Blockchain Online Wallet (the easiest way)
- Other options (for advanced users)
- Send via Bitcoin exchanger directly to the ransom wallet.
2. To buy the Bitcoins please use either of options below:
- localBitcoins.com Buy Bitcoins with Western Union and several alternative methods.
- btc-e.com Western Union, Cash, Bank Wire, etc.
- coincafe.com Recommended for fast, simple service.
- coinbase.com Western Union, Bank of America, Cash by FedEx, Moneygram, Money Order. In NYC:
Bitcoin ATM, in person.
- localBitcoins.com Service allows you to search for people in your community willing to sell Bitcoins to you directly.
- cex.io Buy Bitcoins with VISA/MASTERCARD or wire transfer.
- btcdirect.eu The best for Europe.
- bitquick.co Buy Bitcoins instantly for cash.
- howtobuyBitcoins.info An international directory of Bitcoin exchanges.
- cashintocoins.com Bitcoin for cash.
- coinjar.com CoinJar allows direct Bitcoin purchases on their site.
- anxpro.com
- bittylicious.com
3. Get bitcoin wallet for payment (bitcoin address valid for 12 hours, if 12 hours passed please get the new wallet)
4. Send 50 BTC to the bitcoin address
15G6YvWH9hFp6BetJdVs4xgsx2wyimcHc1 (must be sent in 1 transaction!)
Please note that we require 3 Bitcoin transaction confirmations.
- To view the current status of your transaction please follow the link:
https://blockchain.info/address/15G6YvWH9hFp6BetJdVs4xgsx2wyimcHc1
- Once the transaction passed 3 confirmations please refresh the page and you will be granted to download the decryption software
- If something goes wrong please contact us via email: 17042102@tutamail.com
- We can decrypt 2-3 non-important light-weight files before you pay, send'em to email: 17042102@tutamail.com
4. Please be advised that the ransom amount may be raised after 48 hours since your first visit if no payment received.
In 7 days this link would be deleted, so all your information could be lost.
Your company is secure enough, but we may tell you what is wrong after payment being processed. Good Luck!'
The BitPaymer Ransomware's ransom note is contained in a text file named 'READ_ME.txt,' dropped on the infected computer's desktop. Connections to the payment portal are established using TOR to remain anonymous. The BitPaymer Ransomware demands a ransom of more than $110,000 USD in the form of BitCoins (50 BTC.) Although it would be possible to negotiate with the people responsible for the attack, PC security researchers advise companies to have reputable backup systems to avoid having to deal with these threats.
At this time, it isn't known whether BitPaymer and DoppelPaymer use symmetric or asymmetric encryption, but the victim receives a unique key necessary for data restoration. All decryption keys are located somewhere on a remote server controlled by the developers of BitPaymer/DoppelPaymer, as is usually the case with such ransomware threats. Once the threat actors are contacted, they encourage the victims to pay a ransom in exchange for keys. The ransom's demanded sum is currently unknown at this time, but the money usually ranges somewhere between $500 and $1500 in cryptocurrencies. Users are advised to avoid any payments to cybercriminals since there is no guarantee of a positive outcome in this situation. In many cases, the victims are left with their files still encrypted, and the threat actors simply get away with their money.
There are similar threats out there to BitPaymer and DoppelPaymer, such as PAIN LOCKER, REBUS, Embrace, LittleFinger, and man others. They may have different creators, but their goal remains the same: they encrypt data, make ransom demands, and get away with it with users who aren't aware of the nature of the threat. Most of these threats generate unique decryption keys by using RSA, AES, and similar algorithms. Decrypting the data manually without any involvement from the attackers is essentially impossible without the proper means of decryption. Ransomware such as BitPaymer/DoppelPaymer reminds us of the importance of regular data backups, either on remote servers or unplugged storage devices to avoid these kinds of situations.
