Bit Paymer

Bit Paymer, sometimes written as BitPaymer, targets Windows OS and is distributed via RDP compromise. Once the hackers behind the campaign gain access to an open and exposed RDP endpoint, they move laterally through the targeted network and manually install Bit Paymer on each system they can access. Bit Paymer uses a combination ofRC4 and RSA-1024 encryption algorithms to encrypt files and appends .locked to the file names. Researchers believe this variant has been active since June 2017 when samples were uploaded to VirusTotal. This variant appears to be part of a sophisticated campaign targeting large organizations and demands various ransom payment amounts, depending on the size of the target. Researchers have observed Bit Paymer ransom demands from 20 to 53 Bitcoin. This campaign also requires victims to send three individual payments of 1 Bitcoin each as "confirmation transactions" prior to sending the rest of the amount.

UPDATE 1/26/2018: A new version, dubbed FriedEx, targets high profile victims and corporations through remote desktop protocol (RDP) brute-force attacks. FriedEx has been linked to the developers of the Dridex banking Trojan. ESET provides a technical analysis of FriedEx here.

UPDATE 8/1/2018: Anchorage, Alaska borough Matanuska-Susitna was infected with the Emotet trojan and subsequently infected with the Bit Paymer ransomware, forcing the borough to use typewriters for a week.

UPDATE 8/8/2018: PGA of America likely infected with BitPaymer variant.

  • Bleeping Computer provides more information about Bit Paymer here.
  • The NJCCIC is not currently aware of any decryption tools available for Bit Paymer.
Ransomware VariantsNJCCICBit Paymer, BitPaymer