BitPaymer Ransomware: An insight into the ransomware’s attack campaigns

• BitPaymer uses RC4 and RSA-1024 encryption algorithms to encrypt files and appends the .locked extension to the encrypted file names.
• The latest ongoing BitPaymer campaign targeted at least 15 organizations in the United States in the last three months.

BitPaymer is ransomware that targets Windows OS via a remote desktop protocol. This ransomware is active since 2017. It uses RC4 and RSA-1024 encryption algorithms to encrypt files and appends the .locked extension to the encrypted file names.

The group behind this ransomware demands victims to send three 1 Bitcoin “confirmation” transactions before sending the full payment.

Capabilities of Bitpaymer

BitPaymer ransomware is capable of executing itself, making a copy of itself, hiding in empty files, deleting its older executable file, and transferring its control to the newly created files.

BitPaymer hits NHS Lanarkshire board

In August 2017, NHS Lanarkshire board suffered a BitPaymer ransomware attack impacting several hospitals. The impacted hospitals include Hairmyres Hospital in East Kilbride, Monklands Hospital in Airdrie and Wishaw General Hospital. Operators behind the ransomware demanded a ransom payment of 53 Bitcoins.

Attack on the Alaskan borough

On July 24, 2018, BitPaymer ransomware hit the Alaskan Borough infecting over 500 computers and 120 servers. The attack forced the employees to work on old type-writers. The incident led the officials to disconnect phones, emails, and other networked devices from the internet.

PGA of America hit with ransomware attack

In August 2018, the Professional Golfers' Association of America suffered a ransomware attack, which crippled PGA’s computer systems and computers. At that time, it was speculated that BitPaymer was responsible for the attack.

Links between Emotet, Ursnif, Dridex, and BitPaymer

Researchers discovered a connection between Emotet, Ursnif, Dridex, and BitPaymer from open-source information.

• The analysis revealed that the internal data structure of the four malware families was the same.
• The four payload decryption procedures were also identical in data structures’ and in the pattern they decrypted the actual PE payloads.

BitPaymer infected US manufacturing company via PsExec

On February 18, 2019, a new variant of the BitPaymer ransomware infected a US manufacturing company via PsExec, a command-line tool that allows the execution of processes on remote computers.

To initiate the attack, the attackers had compromised an account with administrator privileges. This enabled the attackers to run the malicious commands that could copy and execute the Bitpaymer variant.

Connections with DoppelPaymer

A ransomware variant called DoppelPaymer was discovered by security researchers recently. This ransomware shares most of the code with another well-known ransomware, BitPaymer. On top of having code similarities, even the ransom notes of DoppelPaymer were similar to BitPaymer ransomware.

BitPaymer targeted 15 organizations in 3 months

Researchers observed an ongoing malware campaign that targeted at least 15 organizations in the United States with the BitPaymer ransomware in the last three months. The impacted organizations belong to financial, agricultural, technology and government sectors.