What is BitPaymer ransomware? And how does it execute its attack?
BitPaymer ransomware is a file-encrypting threat that also goes by the name FriedEx. It is developed by the same group of hackers who created a banking Trojan named Dridex. BitPaymer ransomware and all its previous variants use a combination of RC4 and 1024-bit RSA encryption algorithms.
BitPaymer earned its moniker FriedEx due to its newfound affiliation with the developers of Dridex. FriedEx shares the same code and techniques to hide information about its behavior according to the researchers from ESET. Once it infiltrates a system, it will start scanning the computer for certain file types to encrypt such as images, audio, videos, documents, databases and so on.
BitPaymer has a unique feature and also creates a unique ransom note for each of the encrypted files. During the encryption, it appends the .locked extension to the targeted files. An example of its ransom note is stated below.
“YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED!
All files are encrypted. We accept only bitcoins to share the decryption software for your network.
Also, we have gathered all your private sensitive data.
So if you decide not to pay anytime soon, we would share…
***”
And if the victims follow the instructions of the ransom note, which is not recommended, they will see the following message on their screen:
“Welcome to the ransom page!
To get the decryption software and the private key for every single infected computer in your network please follow the on-screen instructions on how to buy and send the Bitcoin’s:
- Please register a Bitcoin wallet. Here are the options:
– Blockchain Online Wallet (the easiest way)
– Other options (for advanced users)
– Send via Bitcoin exchanger directly to the ransom wallet.
- To buy the Bitcoins please use either of options below:
– localBitcoins.com Buy Bitcoins with Western Union and several alternative methods.
– btc-e.com Western Union, Cash, Bank Wire, etc.
– coincafe.com Recommended for fast, simple service.
– coinbase.com Western Union, Bank of America, Cash by FedEx, Moneygram, Money Order. In NYC:
Bitcoin ATM, in person.
– localBitcoins.com Service allows you to search for people in your community willing to sell Bitcoins to you directly.
– cex.io Buy Bitcoins with VISA/MASTERCARD or wire transfer.
– btcdirect.eu The best for Europe.
– bitquick.co Buy Bitcoins instantly for cash.
– howtobuyBitcoins.info An international directory of Bitcoin exchanges.
– cashintocoins.com Bitcoin for cash.
– coinjar.com CoinJar allows direct Bitcoin purchases on their site.
– anxpro.com
– bittylicious.com
- Get bitcoin wallet for payment (bitcoin address valid for 12 hours, if 12 hours passed please get the new wallet)
- Send 50 BTC to the bitcoin address
15G6YvWH9hFp6BetJdVs4xgsx2wyimcHc1 (must be sent in 1 transaction!)
Please note that we require 3 Bitcoin transaction confirmations.
– To view the current status of your transaction please follow the link:
https://blockchain.info/address/15G6YvWH9hFp6BetJdVs4xgsx2wyimcHc
– Once the transaction passed 3 confirmations please refresh the page and you will be granted to download the decryption software”
No matter how dangerous this ransomware may seem, paying the ransom is still not advised as BitPaymer asks a big amount of ransom even though there really is no guarantee that they’ll decrypt the encrypted files.
How does BitPaymer ransomware proliferate?
BitPaymer ransomware proliferates through RDP or Remote Desktop Protocol brute force attacks. Meaning to say, it takes advantage of weak remote desktop connections.
Carefully follow the instructions given below to terminate BitPaymer ransomware from your system.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the BitPaymer or FriedEx Ransomware.
Right-click on the processes then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 3: Look for BitPaymer or FriedEx ransomware or any malicious program and then Uninstall it.
Step 4: Hold down Windows + E keys simultaneously to open File Explorer.
Step 5: Go to the directories listed below and then look for the corrupted files such as its ransom note, “READ_ME.txt”created by BitPaymer ransomware.
- C:\Users\(your pcname)\AppData\Roaming
- %TEMP%.
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step11. Delete the registry keys and sub-keys created by BitPaymer or FriedEx ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
It is important to make sure that nothing is left behind and that BitPaymer or FriedEx ransomware is completely removed using the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.