Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitpaymer Ransomware (.locked ext, readme_txt) Support Topic


  • Please log in to reply
10 replies to this topic

#1 Sinowal

Sinowal

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 30 July 2017 - 12:18 AM

We recently were attacked with a Ransom ware virus I have found files labeled as .locked and .readme_txt.
 
ID Ransomeware is showing the virus as Bitpaymer, I cannot seem to find much information on this infection, any information will be helpful we are looking at a large number of devices that are infected. Specifically I am looking for anything that can help in removal of the virus so we can clean PC's and not have to worry about reinfection.
 
Thank you all for your help.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 PM

Posted 30 July 2017 - 06:53 AM

"Bit paymer" #ransomware. Ext ".locked" w/ marker, drops ".readme_txt"
About Bitpaymer Ransomware

Unfortunately, there is no decryption tool to decrypt files encrypted by Bitpaymer Ransomware without paying the ransom.
...Confirmed Bitpaymer #ransomware is not decryptable. If possible, your best option is to restore from backups.

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 SevenIron

SevenIron

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 31 July 2017 - 11:16 AM

We have a customer who was infected with the Bitpaymer Ransomware, and we were able to stop it mid process and collect copies of the malware payload files and screenshots of taskmgr showing the powershell command where they were encrypting files.  Would there be any benefit to submitting samples of this info, or do you already have this type of information?  If this would be helpful, please let me know the procedure to submit samples.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 PM

Posted 31 July 2017 - 02:23 PM

We just created this support topic yesterday so I'm not sure what samples our experts already have or need.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 SevenIron

SevenIron

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 31 July 2017 - 07:12 PM

I have uploaded the sample payload files.  Thanks for your help.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 PM

Posted 31 July 2017 - 07:21 PM

You're welcome.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Sinowal

Sinowal
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 31 July 2017 - 08:00 PM

Ive also uploaded the locked files and one of the .exe's that is running the encryption process.

For anyone trying to remove this the best way that we have been able to remove it is looking in the event log for Event ID 7045 and finding a new service that was created. This infection seems to make a large number of new services (From what we have seen they are mostly 10-14 digit numbers) they seem to reference a .exe of the same name in the Windows directory but I have never found the .exe in reference, we started to look and found that in the middle of it creating all the "fake" service it makes one that copy's a windows service name or something else (I've seen servercrypt.exe, crypt.exe ect..) normally these are in the SysWoW64 folder or System32.

 

We used Regedit to remove the services, taskmanager to kill the processes named after the .exe and then deleted the .exe

 

So far we have cleaned 50+ devices and have not seen any devices become re-infected at the moment.


Edited by Sinowal, 01 August 2017 - 08:27 AM.


#8 HMFIC417

HMFIC417

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 10 November 2017 - 02:00 PM

heard any more on this? Know a place with not so great security, that had this last night. From what we can tell a PC was logged onto the DNS server and ran the virus. We are still trying to track down, but looks to be intentional. The also were able to get the backup server....... and no offsite was preformed.  :smash:  



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 PM

Posted 10 November 2017 - 02:04 PM

Nothing new that I am aware of....there is no known way to decrypt files encrypted by Bitpaymer Ransomware without paying the ransom.

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 HMFIC417

HMFIC417

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 10 November 2017 - 02:11 PM

Nothing new that I am aware of....there is no known way to decrypt files encrypted by Bitpaymer Ransomware without paying the ransom.

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Thanks.... unfortunately the ransom they want is a little steep at $345768.00 US... I sure the files are not that important.. but i dunno



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 PM

Posted 10 November 2017 - 02:15 PM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Some victims have reported paying the ransom only to discover the criminals wanted more money...demanding additional payments with threats the data would be destroyed or exposed. Still others have reported they paid but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the decryption software and/or key they received did not work, resulted in errors and in some cases caused damage to the files. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Keep all this in mind if you are considering paying the ransom since there is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim...and using a faulty or incorrect decryptor may damage or corrupt the files even further. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users