Several hospitals part of the NHS Lanarkshire board were hit on Friday by a version of the Bit Paymer ransomware.

The NHS Lanarkshire board includes hospitals such as Hairmyres Hospital in East Kilbride, Monklands Hospital in Airdrie and Wishaw General Hospital.

Affected systems fixed over the weekend

The infection took root on late Friday, August 25. NHS Lanarkshire officials acknowledged the incident right away.

The next day, board officials issued a statement revealing they had the situation under control, and they were currently restoring affected systems, an operation they estimated would take until Monday.

"Unfortunately a small number of procedures and appointments have been canceled as a result of the incident," said NHS Lanarkshire chief executive Calum Campbell.

Bit Paymer active since at least June 2017

The Bit Paymer ransomware — sometimes also spelled as Bitpaymer — first came to Bleeping Computer's attention on July 11, when security researcher Michael Gillespie tweeted a link to a sample uploaded on VirusTotal, a web-based file scanning service.

Fellow researcher MalwareHunter told Bleeping Computer today in a private conversation that following the NHS Lanarkshire attacks, more samples were found on VirusTotal going back to June 21, 2017, hinting that more campaigns might have taken place before the NHS Lanarkshire incident.

Unlike most ransomware we see today, Bit Paymer is well coded and appears to be the work of experienced programmers.

Bit Paymer spread via RDP brute-force attacks

An Emsisoft security researcher who goes online by the pseudonym of xXToffeeXx‏ believes the ransomware is installed after attackers performed brute-force attacks on exposed RDP endpoints.

After gaining access to one system, attackers move laterally on the breached network and install Bit Paymer manually on each compromised system.

According to Gillespie, the ransomware encrypts files with a combination of RC4 and RSA-1024 encryption algorithms. The researcher says there's currently no way to decrypt files locked by the Bit Paymer ransomware.

Confirmed Bitpaymer #ransomware is not decryptable. CryptGenRandom RC4 per file + RSA-1024. Thanks for analysis @FraMauronz https://t.co/TUpzYUDbhT — Michael Gillespie (@demonslay335) July 14, 2017

Ransomware asks for a whopping $230,000 ransom payment

The ransomware appends the ".locked" string at the end of each encrypted file name. A file named "image.png" will become "image.png.locked".

Bit Paymer also generates text files holding the ransom note and drops them all over the filesystem, where it encrypted files.

The ransom note instructs victims to connect to a Tor-based portal where victims can pay to recover their files.

This site also holds the ransom demand. Just like similar ransomware strains installed via targeted attacks, Bit Paymer asks for astronomical ransom demands. In samples observed in the past, this was of 53 Bitcoin, which is $230,000 at today's exchange rate. In other cases observed by xXToffeeXx‏, the ransom was smaller, of only 20 Bitcoin. "They do change the ransom amount depending on the victims," the researcher said.

Bit Paymer is also very strange in the way it handles ransom payments. The group behind this ransomware wants victims to send three 1 Bitcoin "confirmation" transactions before sending the full payment. This is most likely to prevent victims from sending the bulk of the sum to the wrong Bitcoin address.

A focus on large companies

Other ransomware families that we've seen in the past manually installed on targets' systems after RDP brute-force attacks include RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA, or Globe.

"The interesting thing about Bitpaymer is that they are specifically targeting companies, and not just any companies, quite big companies," xXToffeeXx‏ explains. "This is quite different to most other RDP company targeting ransomware. Reminds me of SamSam."

Bit Paymer should not be confused with the Defray ransomware, which Proofpoint researchers discovered last week targeting healthcare organizations. According to a Proofpoint report, Defray is spread via email spam, not RDP brute-force attacks.

Two weeks ago, Malwarebytes researcher Hasherezade uploaded a video on YouTube detailing the process of unpacking the BitPaymer ransomware payload. The video can prove helpful for researchers looking to analyze the threat.

IOCs:

SHA256 Hashes:

1c0ffdaddec1eca9a9a5ef5192151dbce8ccd8e31a84c51d70f5a5c64f07a363 d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2

Ransom note:

YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED! All files are encrypted. We accept only bitcoins to share the decryption software for your network. Also, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with media's. It may harm your business reputation and the company's capitalization fell sharply. Do not try to do it with 3rd-parties programs, files might be damaged then. Decrypting of your files is only possible with the special decryption software. To receive your private key and the decryption software please follow the link (using tor2web service): [REDACTED URL] If this address is not available, follow these steps: 1. Download and install Tor Browser: hxxps://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: [REDACTED URL] 4. Follow the instructions on the site 5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely. 6. Any questions: [REDACTED EMAIL]

Bit Paymer payment site: