Jump to content
Posted 30 July 2017 - 12:18 AM
Posted 30 July 2017 - 06:53 AM
Posted 31 July 2017 - 11:16 AM
We have a customer who was infected with the Bitpaymer Ransomware, and we were able to stop it mid process and collect copies of the malware payload files and screenshots of taskmgr showing the powershell command where they were encrypting files. Would there be any benefit to submitting samples of this info, or do you already have this type of information? If this would be helpful, please let me know the procedure to submit samples.
Posted 31 July 2017 - 02:23 PM
Posted 31 July 2017 - 07:12 PM
I have uploaded the sample payload files. Thanks for your help.
Posted 31 July 2017 - 08:00 PM
Ive also uploaded the locked files and one of the .exe's that is running the encryption process.
For anyone trying to remove this the best way that we have been able to remove it is looking in the event log for Event ID 7045 and finding a new service that was created. This infection seems to make a large number of new services (From what we have seen they are mostly 10-14 digit numbers) they seem to reference a .exe of the same name in the Windows directory but I have never found the .exe in reference, we started to look and found that in the middle of it creating all the "fake" service it makes one that copy's a windows service name or something else (I've seen servercrypt.exe, crypt.exe ect..) normally these are in the SysWoW64 folder or System32.
We used Regedit to remove the services, taskmanager to kill the processes named after the .exe and then deleted the .exe
So far we have cleaned 50+ devices and have not seen any devices become re-infected at the moment.
Edited by Sinowal, 01 August 2017 - 08:27 AM.
Posted 10 November 2017 - 02:00 PM
heard any more on this? Know a place with not so great security, that had this last night. From what we can tell a PC was logged onto the DNS server and ran the virus. We are still trying to track down, but looks to be intentional. The also were able to get the backup server....... and no offsite was preformed.
Posted 10 November 2017 - 02:04 PM
Posted 10 November 2017 - 02:11 PM
Nothing new that I am aware of....there is no known way to decrypt files encrypted by Bitpaymer Ransomware without paying the ransom.
When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
Thanks.... unfortunately the ransom they want is a little steep at $345768.00 US... I sure the files are not that important.. but i dunno
Posted 10 November 2017 - 02:15 PM
0 members, 0 guests, 0 anonymous users