Bit Paymer

Bit Paymer, sometimes written as BitPaymer, targets Windows OS and is distributed via RDP compromise. Once the hackers behind the campaign gain access to an open and exposed RDP endpoint, they move laterally through the targeted network and manually install Bit Paymer on each system they can access. Bit Paymer uses a combination ofRC4 and RSA-1024 encryption algorithms to encrypt files and appends .locked to the file names. Researchers believe this variant has been active since June 2017 when samples were uploaded to VirusTotal. This variant appears to be part of a sophisticated campaign targeting large organizations and demands various ransom payment amounts, depending on the size of the target. Researchers have observed Bit Paymer ransom demands from 20 to 53 Bitcoin. This campaign also requires victims to send three individual payments of 1 Bitcoin each as "confirmation transactions" prior to sending the rest of the amount.

UPDATE 1/26/2018: A new version, dubbed FriedEx, targets high profile victims and corporations through remote desktop protocol (RDP) brute-force attacks. FriedEx has been linked to the developers of the Dridex banking Trojan. ESET provides a technical analysis of FriedEx here.

UPDATE 8/1/2018: Anchorage, Alaska borough Matanuska-Susitna was infected with the Emotet trojan and subsequently infected with the Bit Paymer ransomware, forcing the borough to use typewriters for a week.

UPDATE 8/8/2018: PGA of America likely infected with BitPaymer variant.

  • Bleeping Computer provides more information about Bit Paymer here.

  • The NJCCIC is not currently aware of any decryption tools available for Bit Paymer

UPDATE 7/12/2019: Researchers have identified a new variant of the BitPaymer ransomware identified as DoppelPaymer, which shares much of its code with both BitPaymer and Dridex. A series of ransomware attacks were first observed in June 2019, containing various modifications, leading researchers to assess that the one or more members of the INDRIK SPIDER have splintered from the group to begin their own operation.

  • Crowdstrike provides further research and technical details here.

UPDATE 7/18/2019: An ongoing BitPaymer campaign has targeted at least 15 US SMB organizations spanning across the financial, agricultural, technology, and government sectors over the last three months. The infection begins with an email containing Dridex, which is used to collect network information. BitPaymer appears to be deployed during a weekend while employees are away and proliferates once employees return.

Ransomware VariantsNJCCICBit Paymer, BitPaymer, DoppelPaymer, Dridex