Severity scale:  
  (94/100)

Bitpaymer ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware

Bitpaymer ransomware is a file-encrypting virus which targets large scale organizations

Bitpaymer ransomware
BitPaymer virus spreads via spam emails, malicious sites or RDP attacks.

Questions about Bitpaymer ransomware virus

BitPaymer ransomware is a crypto-malware which uses RC4 and RSA 1024 ciphers to encrypt information on the computers. Researchers have first discovered this file-encrypting virus in July 2017 operating under the name of FriedEx. Although, BitPaymer continues to attack computers in 2018 and even expanded its targets to large-scale organizations, like hospitals and government entities. The compromised data is marked with .locked file extension which remained the same even when the malware was updated. However, developers include different ransom notes and contact details with every new variant of BitPaymer. 

Summary
Name BitPaymer
Alternative name FriedEx
Release date 2017
Type Ransomware
Danger level High. Makes system changes and encrypts files
Appended file extension .locked
Cryptography RC4 and RSA-1024-bit
Ransom note readme_txt
Contact email address ClaudiaBarnengham@protonmail.com,
1173022@protonmail.com,
15010050@tutamail.com
 Targeted OS Windows
Main targets Hospitals and other organizations
Distribution RDP attacks
To uninstall BitPaymer, install Reimage and run a full system scan

Bitpaymer virus has been created by the same group of hackers who are responsible for Dridex banking trojan. However, this time cyber criminals aimed at Scottish hospitals.[1] Fortunately, it did not manage to cause huge damage. However, it asked to pay 50 Bitcoins for data recovery. 

Bitpaymer ransom note
BitPaymer is a ransomware-type infection which appends .locked extension after file encryption.

Bit Paymer has a unique feature and creates a unique ransom note for each encrypted file. The name of the ransom note consists of the original filename and .readme_txt extension. For example, a file called document.txt gets a ransom note called document.txt.readme_txt. The ransom note reveals that the victim has to pay a specified sum of money in order to restore encrypted files.

The virus has been updated a several times. However, nothing in ransomware's operation has been changed. The only major difference is used different Bitcoin wallet address (for ransom payments) and used contact email address. Currently, researchers detected three of them. However, there might be a bunch of different ones too:

  • ClaudiaBarnengham@protonmail.com,
  • 1173022@protonmail.com,
  • 15010050@tutamail.com 

The payment is only accepted in Bitcoins, which is the favorite cryptocurrency used in many illegal operations[2]. The payment system itself is legitimate; however, cyber criminals tend to use it to become anonymous and untrackable. But in a case of a ransomware attack[3], an immediate Bitpaymer removal is required to protect your PC from further malware attacks.

The Bitpaymer ransomware suggests installing Tor browser in order to access a particular ransom payment website. The payment website has no shame to ask the victim to pay 50 Bitcoins, which is an incredibly large sum of money – approximately 230,000 US dollars. We doubt that the Bitcoin wallet provided on that website will ever receive any payments from ransomware victims because such amount is simply unreasonable.

Bitpaymer ransomware payment website
The main targets of BitPaymer malware are hospitals or government entities.

Speaking of alternative data recovery methods than paying the excessive ransom, there are some tools that you can try out. We have described possible data recovery techniques below this article. However, before taking any actions to recover your files, remove Bitpaymer virus first. To complete this task, we highly recommend using security programs such as Reimage that can eliminate spyware and malware from your PC.

If your files were encrypted by Bit Paymer, we hope that you had a data backup. It is the most efficient way of restoring files; however, not many ransomware victims have it. In case you’re reading this article because you want to find out more about the latest ransomware viruses, we strongly recommend you to create a data backup. For more security-related tips, visit NoVirus.uk site[4].

The PGA of America was possibly infected with Bitpaymer

Previously, the main targets of BitPaymer malware were hospitals and government entities. However, now the developers of this dangerous cyber threat decided to attack the PGA of America by hijacking the network. The staff identified the ransomware attack only on Tuesday morning when they started receiving ransom notes on each affected computer. 

Just like SamSam ransomware, BitPaymer uses RDP Brute Force attacks to infect the network. After the attack, malware drops a ransom note where criminals inform about a penetrated network and ask to contact them via email:

Your network has been penetrated
All files on each host in the network have been encrypted with strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
No free decryption software is available in the public.

Additionally, crooks threaten not to rename or move encrypted files. According to them, this may cause more damage and files might be lost forever. However, it’s just a psychological terror and attempts to gain more money from unsuspecting computer users.

Bitpaymer ransomware attack
BitPaymer virus offers free decryption of 2 files to ensure that the decryption is possible.

According to the research conducted in May, experts have identified other BitPaymer RDP attacks which left ClaudiaBarnengham@protonmail.com and 1173022@protonmail.com email addresses for contact purposes. However, other major changes were not noticed.

Similarities between BitPaymer and Dridex malware

Researchers at ESET[5] have introspected FriedEx virus and compared it to Dridex banking trojan. Surprisingly, experts discovered numerous similarities, starting from similar disguise techniques to identical malware packers and other indistinguishable features. 

The analysis of malicious software codes allowed to confirm that both viruses are created by the same developers. It means that criminals are ambitious and willing to commit more cyber crimes. Instead of continuing updating banking trojan, they are also taking advantage of the most popular cyber crime – ransomware business.

Developers managed to create one of the most dangerous banking trojans. Thus, they are expected to update Bitpaymer and find new ways to make another hazardous crypto-malware soon.

Hospitals were one of the main targets of the crypto-malware

BitPaymer ransomware was undeniably active during the end of August. Researchers note that this file-encrypting virus managed to attack even three hospitals at National Health Service’s (NHS) Lanarkshire outpost. According to the sources, developers demanded to pay 53 Bitcoins (approximately 190 000 British Pounds at the current exchange rate) for BitPaymer decrypt software. 

Bitpaymer payment website
BitPaymer ransomware is a sophisticated cyber threat which targets large-scale organizations for money extortion purposes.

NHS Lanarkshire reported[6] about the issue and shared the news that hospitals’ security and IT systems were under control. Ransomware affected phone and staff rostering system mostly. Therefore, the attack disturbed hospitals’ work. They had to postpone surgeries and cancel people appointments.

It’s unknown how Bit Paymer launched the attack. It is suspected that malware may have launched RDP brute-force attack. Security experts continue investigating this issue.

The peculiarities of BitPaymer RDP attacks

Usually, ransomware spreads via spam emails, exploit kits, or with the help of Trojans. Although, BitPaymer ransomware uses RDP Brute Force attacks to infect large networks and extort money from organizations or companies. There are several tips to help you protect your computer or even business from ransomware attacks. 

First of all, we highly recommend that you secure your computer with anti-malware software to ward off malicious software. Then, you should create a data backup. Create copies of the most important files and transfer them to an external data storage device, such as hard drive or USB. Keep it away from the computer and use when needed only.

Finally, we suggest keeping all of your programs up-to-date. In other words, whenever your computer suggests you to install an update to programs that you already have, agree to do it. You can also enable automatic updates and save yourself some time. Please remember that you should never decide to install software updates presented by suspicious Internet sites – these can land some spyware/malware programs on your PC.

Introduction to BitPaymer removal

Those who are infected with this sophisticated cyber threat should do not hesitate and take action immediately. The most convenient way to remove BitPaymer is running a full system scan with a professional security tool, like Reimage, Malwarebytes MalwarebytesCombo Cleaner, or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. Although, in some cases malware might block all antivirus programs. Thus, reboot your computer into Safe Mode with networking as shown below.

Do not try to perform a manual Bitpaymer removal. It can only be completed by experienced IT professionals that have experience in dealing with malware like ransomware. Attempts to uninstall ransomware can result in failure and cause you a lot of problems.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Bitpaymer virus, follow these steps:

Remove Bitpaymer using Safe Mode with Networking

Delete the ransomware using the anti-spyware or anti-malware software. If you do not have it yet, install it after rebooting your PC into Safe Mode with Networking. This mode should always be used when dealing with malware – it helps to temporarily disable the virus and clean up the computer system efficiently.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Bitpaymer

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Bitpaymer removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Bitpaymer using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Bitpaymer. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Bitpaymer removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Bitpaymer from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Data backup clearly is the best tool when it comes to data recovery. If you haven't created it in the past, it will be quite hard to recover your files now. However, we suggest trying one of the provided methods to restore some of your files.

If your files are encrypted by Bitpaymer, you can use several methods to restore them:

Data Recovery Pro technique

Data Recovery Pro can help you to restore your files easily. Although it might not be able to break the encryption of Bitpaymer ransomware, it might successfully recover some of your files. This is how you should use this tool:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Bitpaymer ransomware;
  • Restore them.

ShadowExplorer software

Volume Shadow Copies are extremely useful because they can help to restore corrupted files. However, ransomware viruses tend to delete them. You can check if your PC still contains some Volume Shadow Copies by running a scan with ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Bitpaymer and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References

Removal guides in other languages