BitPaymer Ransomware

BitPaymer, also known as WPEncrypt, is a relatively new ransomware variant that is primarily spread through insecure Remote Desktop Protocol (RDP) connections and network compromise.

Attackers perform brute-force attacks on internet exposed RDP endpoints. When a weak password is discovered and access to one system is gained, the attackers then attempt to move laterally on the breached network and install BitPaymer manually on each compromised system.

BitPaymer may also be delivered via spam emails, malicious advertisements and via potentially unwanted programs (PUPs).

There does not appear to be any widespread campaigns that are distributing this malware, indicating that attacks may be more targeted in nature.

The ransomware appends the “.locked” string at the end of each encrypted file name.

The ransom note instructs victims to connect to a Tor-based portal where victims can pay (in Bitcoin) to obtain decryption software.

The ransomware encrypts files with a combination of RC4 and RSA-1024 encryption algorithms.

Affected Platforms:

Microsoft Windows – all version




Recomended Action:

Securing RDP:

If RDP is not used:

  • ensure port 3389 is blocked at your internet firewall

If RDP is used:

  • Ensure only authorised users are granted RDP permissions.
  • Authorised users have a strong password.
  • RDP connections are protected with multifactor authentication.
  • For additional security only allow RDP to run through VPN connections.

Ransomware Remediation:

As with all forms of zero day malware the first line of defence against new variants of ransomware is user awareness and safe working practices.

To avoid becoming infected with ransomware, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.

To limit the damage of ransomware and enable recovery:

  • All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.

Multiple backups should be created including at least one off-network backup (e.g. to tape).



Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: