BitPaymer Ransomware is a typical ransomware-type infection that enters computers having one and only goal of encrypting files and then getting money in exchange for their decryption. Although it does not differ much from threats analyzed some time ago by our researchers, there is still one feature that distinguishes it from the rest of the file-encrypting threats – it targets companies mainly and threatens to ruin the business reputation by sending the company’s private sensitive data to media if cyber criminals do not receive a ransom within 72 hours. Money is all ransomware infections want from their victims and, unfortunately, there are some users out there who are ready to pay the money required. Giving cyber criminals what they want is a huge mistake because this encourages them to continue developing malicious applications. Additionally, paying them money does not necessarily mean that it will be possible to decrypt files because there are many cases when victims do not get the promised decryptor even if they do as instructed and transfer the required money. Because of this, we encourage users who have encountered BitPaymer Ransomware to delete this infection from their computers without mercy. Once they are done with it, they could then think about the restoration of files.
Even though BitPaymer Ransomware is among the malicious applications that try to enter PCs unnoticed, its entrance does not stay a secret for a long time because users tend to discover soon a bunch of encrypted files on their computers. The first symptom showing that they have been locked is the inability to open them. Second, users notice a new extension .locked next to the original extension, for example, picture.jpg.locked. Also, users find a ransom note next to every encrypted file. This ransom note has the name of the file it has been placed next to, e.g. picture.jpg.readme_txt. It contains a message for victims and step-by-step instructions explaining how to unlock files. Users find out that their files have been encrypted and they can unlock them only with the special decryption tool. Also, the provided .onion link opens the payment page that informs victims that the price of the decryption tool is 50BTC, which, at today’s price, is more than $130 000. Without a doubt, the ransom it demands is definitely one of the largest ones we have ever seen, but it does not surprise us much because BitPaymer Ransomware has been primarily developed to cause problems to companies. No one should send cyber criminals such a large amount of money, especially if a backup of files is available somewhere outside the compromised machine because it will be easy to restore files from a backup after the removal of this threat.
Research has shown that there are two different distribution methods commonly used to spread BitPaymer Ransomware. First, it might be spread via unsecured/open Remote Desktop Protocol (RDP) connections. Second, like other ransomware infections, it might be disseminated using spam mail. Users receive a harmless-looking email with an attachment that looks like a document, an invoice, or a similar important file and then allow a ransomware infection to enter their PCs by simply opening the malicious attachment. It becomes clear that the ransomware infection has successfully entered the system only when it is no longer possible to open a number of personal files. We would recommend ensuring system’s protection as soon as possible so that the history would not repeat itself one day in the future. This can be done by simply installing a trustworthy security application on the system. It will not allow malware to enter the system illegally again.
BitPaymer Ransomware is a serious malicious application, we have to admit, but we still think that users will manage to erase it themselves if they use our manual removal guide provided below this article. They will only have to delete a folder containing the malicious .exe file and then take care of suspicious recently downloaded files. They can, of course, remove this ransomware infection with an automatic tool too; however, research has shown it might not allow launching some malware removers, so we cannot promise that it will be possible to erase it automatically in all the cases.