Severity scale:  

Bitpaymer ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware

Bitpaymer – a computer virus that encrypts files and demands to pay the ransom

Bitpaymer ransomware

Questions about Bitpaymer ransomware virus

BitPaymer is a ransomware-type cyber threat that is designed to encrypt files on the affected computers or networks, and demand to pay the ransom in exchange for the release of the file. Malware was first detected in July 2017 and is also known as FriedEx. This crypto-virus uses RC4 and 1024-bit RSA encryption algorithm and .locked file extension to make data unusable. Nevertheless, new versions emerged in 2018; the appended file extension remained the same. However, contact email addresses and targets were changed.

Name BitPaymer
Alternative name FriedEx
Release date 2017
Type Ransomware
Danger level High. Makes system changes and encrypts files
Appended file extension .locked
Cryptography RC4 and RSA-1024-bit
Ransom note readme_txt
Contact email address,,
 Targeted OS Windows
Main targets Hospitals and other organizations
Distribution RDP attacks
To uninstall BitPaymer, install Reimage and run a full system scan

Bitpaymer virus has been created by the same group of hackers who are responsible for Dridex banking trojan. However, this time cyber criminals aimed at Scottish hospitals.[1] Fortunately, it did not manage to cause huge damage. However, it asked to pay 50 Bitcoins for data recovery. 

Bitpaymer ransom note

Bit Paymer has a unique feature and creates a unique ransom note for each encrypted file. The name of the ransom note consists of the original filename and .readme_txt extension. For example, a file called document.txt gets a ransom note called document.txt.readme_txt. The ransom note reveals that the victim has to pay a specified sum of money in order to restore encrypted files.

The virus has been updated a several times. However, nothing in ransomware's operation has been changed. The only major difference is used different Bitcoin wallet address (for ransom payments) and used contact email address. Currently, researchers detected three of them. However, there might be a bunch of different ones too:


The payment is only accepted in Bitcoins, which is the favorite cryptocurrency used in many illegal operations[2]. The payment system itself is legitimate; however, cyber criminals tend to use it to become anonymous and untrackable. But in a case of a ransomware attack[3], an immediate Bitpaymer removal is required to protect your PC from further malware attacks.

The Bitpaymer ransomware suggests installing Tor browser in order to access a particular ransom payment website. The payment website has no shame to ask the victim to pay 50 Bitcoins, which is an incredibly large sum of money – approximately 230,000 US dollars. We doubt that the Bitcoin wallet provided on that website will ever receive any payments from ransomware victims because such amount is simply unreasonable.

Bitpaymer ransomware payment website

Speaking of alternative data recovery methods than paying the excessive ransom, there are some tools that you can try out. We have described possible data recovery techniques below this article. However, before taking any actions to recover your files, remove Bitpaymer virus first. To complete this task, we highly recommend using security programs such as Reimage that can eliminate spyware and malware from your PC.

If your files were encrypted by Bit Paymer, we hope that you had a data backup. It is the most efficient way of restoring files; however, not many ransomware victims have it. In case you’re reading this article because you want to find out more about the latest ransomware viruses, we strongly recommend you to create a data backup. For more security-related tips, visit site[4].

Bitpaymer launched a new campaign in May 2018

Security researchers reported about new Bitpaymer ransomware attack which targets networks. After the attack, malware drops a ransom note where criminals inform about a penetrated network and ask to contact them via email:

Your network has been penetrated
All files on each host in the network have been encrypted with strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
No free decryption software is available in the public.

Additionally, crooks threaten not to rename or move encrypted files. According to them, this may cause more damage and files might be lost forever. However, it’s just a psychological terror and attempts to gain more money from unsuspecting computer users.

Bitpaymer ransomware attackA couple of weeks later, at the end of May, researchers spotted another variant of ransomware that uses contact email address. However, other major changes were not noticed.

Ransomware uses similar techniques as Dridex malware

At the end of December 2017, researchers from ESET[5] analyzed FriedEx virus and discovered that it has lots of similarities to the Dridex banking trojan. For instance, both viruses use similar techniques to hide in the system and avoid detection, use the same malware packer, etc.

The analysis of malicious software codes allowed to confirm that both viruses are created by the same developers. It means that criminals are ambitious and willing to commit more cyber crimes. Instead of continuing updating banking trojan, they are also taking advantage of the most popular cyber crime – ransomware business.

Developers managed to create one of the most dangerous banking trojans. Thus, they are expected to update Bitpaymer and find new ways to make another hazardous crypto-malware soon.

Hospitals are the main target of the file-encrypting virus

The last Friday of August was terrifying for three hospitals at National Health Service’s (NHS) Lanarkshire outpost. Bitpaymer attacked Hairmyres Hospital in East Kilbride, Monklands Hospital in Airdrie and Wishaw General Hospital. Criminals asked to pay 53 Bitcoins which is about 190,000 British pounds. Currently, there’s no proved information that the ransom was paid.Bitpaymer payment website

NHS Lanarkshire reported[6] about the issue and shared the news that hospitals’ security and IT systems were under control. Ransomware affected phone and staff rostering system mostly. Therefore, the attack disturbed hospitals’ work. They had to postpone surgeries and cancel people appointments.

It’s unknown how Bit Paymer launched the attack. It is suspected that malware may have launched RDP brute-force attack. Security experts continue investigating this issue.

RDP attacks are the main way how BitPaymer gets into computers

BitPaymer virus mainly attacks victims with unprotected computers. It mostly spreads via spam, Trojans, exploit kits, but it can also be pushed into your computer system with the help of an RDP attack. To protect your computer, you must complete several tasks and make sure you never make certain mistakes again.

First of all, we highly recommend that you secure your computer with anti-malware software to ward off malicious software. Then, you should create a data backup. Create copies of the most important files and transfer them to an external data storage device, such as hard drive or USB. Keep it away from the computer and use when needed only.

Finally, we suggest keeping all of your programs up-to-date. In other words, whenever your computer suggests you to install an update to programs that you already have, agree to do it. You can also enable automatic updates and save yourself some time. Please remember that you should never decide to install software updates presented by suspicious Internet sites – these can land some spyware/malware programs on your PC.

Removal guide for Bitpaymer ransomware virus

If you are one of those unfortunate victims whose computers were compromised by this virus, you must remove Bitpaymer as soon as you can. We suggest going the easiest way and running a system scan using anti-malware software, such as Reimage. If you do not have it yet, firstly reboot your PC into Safe Mode with Networking. You can find comprehensive instructions on how to do it below.

Do not try to perform a manual Bitpaymer removal. It can only be completed by experienced IT professionals that have experience in dealing with malware like ransomware. Attempts to uninstall ransomware can result in failure and cause you a lot of problems.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Bitpaymer ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Bitpaymer ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

To remove Bitpaymer virus, follow these steps:

Remove Bitpaymer using Safe Mode with Networking

Delete the ransomware using the anti-spyware or anti-malware software. If you do not have it yet, install it after rebooting your PC into Safe Mode with Networking. This mode should always be used when dealing with malware – it helps to temporarily disable the virus and clean up the computer system efficiently.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Bitpaymer

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Bitpaymer removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Bitpaymer using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Bitpaymer. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Bitpaymer removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Bitpaymer from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Data backup clearly is the best tool when it comes to data recovery. If you haven't created it in the past, it will be quite hard to recover your files now. However, we suggest trying one of the provided methods to restore some of your files.

If your files are encrypted by Bitpaymer, you can use several methods to restore them:

Data Recovery Pro technique

Data Recovery Pro can help you to restore your files easily. Although it might not be able to break the encryption of Bitpaymer ransomware, it might successfully recover some of your files. This is how you should use this tool:

ShadowExplorer software

Volume Shadow Copies are extremely useful because they can help to restore corrupted files. However, ransomware viruses tend to delete them. You can check if your PC still contains some Volume Shadow Copies by running a scan with ShadowExplorer.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Bitpaymer and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions


Removal guides in other languages