Bitpaymer Ransomware: What To Do If You’re Infected

Tetra Defense looks back at some ransomware strains we’ve seen as the past oftentimes informs the present. Learn how Bitpaymer Ransomware operates to stay updated on possible future strains. 

What is Bitpaymer Ransomware? 

Bitpaymer ransomware first arose in the summer of 2017. Since then, it has proven to be a malicious malware that has made a significant impact on businesses throughout the United States and Europe. Bitpaymer, sometimes also known as “wp_encrypt,” exclusively targets Windowsbased computer systems. Once a Windows system is infected, Bitpaymer encrypts user files and creates a ransom note on the users desktop.  

What makes Bitpaymer unique is that the malware goes to great lengths to conceal itself from detection. Unlike most ransomware, Bitpaymer is wellcoded and appears to be the work of experienced programmers. 

First reported in 2017, Bitpaymer has received regular updates from the creators. While the most recent update was November 2019, the malware has seen consistent updates over the past two years. 

There have been many high profile victims of Bitpaymer ransomware, including the Scottish Lanarkshire NHS, a major Spanish MSSP, a major German manufacturerand numerous businesses in the United States. 

How Does Bitpaymer Ransomware Work? 

Like many other types of ransomware, Bitpaymer malware distribution occurs via various attack vectors. Most commonly, the attack starts through a targeted phishing campaign aimed at vulnerable organizations. The phishing email attempts to dupe employees into downloading the malware payload through an email attachment or some form of software download via a faked URL. Brute force RDP attacks are also a prevalent attack vector used by Bitpaymer threat actors to gain access to compromised computer networks. 

Once infected, the Bitpaymer malware executable attempts to harvest as much information as possible about the targeted system, including usernames, passwords, IP addresses, shared drives, and private network information. There are also specific routines in the malware that search for servers running Microsoft Exchange and Microsoft SQL.  

Furthermore, the malware targets Active Directory services running on the network. Once compromised, the attacker uses Active Directory to distribute Bitpaymer ransomware to the entire network. Most of the Active Directory attack appears to be carried out manually by the threat actor. 

In further evidence of the sophistication of its developers, Bitpaymer attackers appear to invest significant time into getting to know their victims, building a custom binary for each, and going as far as encrypting files using a file extension containing the name of the targeted company. 

Once the ransomware is activated, Bitpaymer deletes system restore points and wipes out Volume Shadow Service shadow copies. The ransomware encrypts user files with RC4 and RSA-1024 encryption algorithms, making decryption virtually impossible without purchasing a key. The ransomware note left on the user’s desktop directs the victim to download the TOR browser and to visit a personalized site on the dark web. The ransomware site contains a personalized ransom fee and instructions telling the user what to do next to recover their data. 

The ransoms appear personalized to each victim because the cost of the ransom varies dramatically depending on the size of the targeted organization and the assumed likelihood they will pay. Ransom amounts vary from around $20,000 to $250,000 USD. 

The payment strategy of the group behind the ransomware suggests they have experience in this type of exploitation. The victims receive instructions to send three 1 Bitcoin “confirmation” transactions before sending the full payment, which may prevent victims from sending the bulk of the sum to the wrong Bitcoin address. 

How Do I Prevent Bitpaymer Ransomware? 

The primary vector of Bitpaymer ransomware is a brute force attack on RDP connections. This method essentially amounts to a sustained attack on public-facing RDP connections until the password cracks. Threat actors leverage the computing power of botnets in a dictionary attack against the connection. The simpler the password, the quicker it is to crack. 

The best way to prevent this is by conducting a thorough review of all RDP connections. Brute force RDP exploits are a common and frequent method to compromise systems, and as such, the FBI has published guidelines to help prevent RDP vulnerabilities. 

This advice includes reviewing all public-facing servers, ensuring the configuration of a robust password by default, and that the RDP connection is not left unprotected in error. Block RDP port 3389 by default on a perimeter firewall and only use RDP access when necessary, and only with multi-factor authentication in place.  

If the targeted server is provisioned on public cloud services, strict access controls should be configured, ensuring that IP access is restricted to predefined IP addresses only. All other port 3389 requests should be dropped at the firewall level. 

Any server using RDP must have the Network Level Authentication (NLA) feature enabled under advanced RDP settings. Enabling this option will force the server to authenticate with Active Directory before approving an RDP log on. This way, only approved business users are granted access. Allowing connections only from computers running NLA is a secure authentication method that can protect against malicious users and software. 

Never forward RDP ports through a perimeter firewall. Instead, RDP access to a corporate network should be over a secured VPN tunnel that utilizes multi-factor authentication for added security. This method ensures that the firewall immediately drops any RDP packets, and the internal network is safe. 

Educating users is the best way to limit the impact of any strain of ransomware. Bitpaymer can be spread using malicious email campaigns that invite the user to open an infected attachment. Educating users to be extremely vigilant when opening any form of attachment is an absolute necessity. 

A valid backup strategy will also help you stay one step ahead of ransomware. Often the only way to roll back from a ransomware outbreak is to restore the system from a backup. There is no publicly available decryptor available for Bitpaymer, so having the ability to restore an entire computer infrastructure from backup or to leverage a disaster recovery solution can mitigate the significant risk associated with ransomware. 

Additionally, system administrators must be sure to patch all servers and workstations to the latest security levels. To ensure that your version of Microsoft Windows is protected against the very latest known vulnerabilities, keep the Operating System fully updated. Patches should also include daily antivirus updates, and you might want to consider deploying integrated anti-malware and endpoint monitoring technology. 

How Do I Get Rid of Bitpaymer Ransomware? 

Unfortunately, as there is no decryptor for Bitpaymer, your only options are to pay the ransom and hope you get your files back or restore from backup. 

Tetra Defense never recommends paying a ransom as the first option. If you are in the untenable position of not having a backup, and you urgently need your files, we recommend you contact the incident response experts at Tetra. 

Tetra Defense prioritizes restoration to get businesses back to where they were before the ransomware attack. We approach ransomware restoration and investigations simultaneously, so you return to normal operations at the same time you are getting answers.   

Our teams are standing by to focus on what matters most: your business. We will survey the ransomware outbreak and perform an initial assessment to identify the most appropriate course of action based on your particular needs.  We can conduct ransom negotiations and, if needed, can facilitate ransom payment. 

We remove the threat from your system and conduct malware scans and network threat hunting. We leverage each incident to learn from the ransomware attack and discover the root cause. Once Tetra obtains decryption keys, we decrypt the data and get systems restored to full functionality as quickly as possible. We help you to resolve any vulnerabilities used to exploit your network. 

Get Help with Bitpaymer Ransomware 

If you’re ready to get help removing Bitpaymer ransomware from your critical systems, contact Tetra Defense’s incident response team today. We will reach out for an assessment and build a plan to get your network up and running once again. 

Check out some related content on our blog: