The BitPyLock Ransomware was discovered by MalwareHunterTeam on January 9th 2020 and has since seen a new infections grow on a daily basis.
This ransomware attempts to steal sensitive information from systems before encryption. Believed to have first been created to target individual users, it has now evolved to target entire networks, with its operators using the extracted information to coerce affected organisations to pay their ransom demands.
There are unconfirmed reports indicating that this may be distributed via watering-hole attacks or through targeted spam campaigns.
Once delivered, BitPyLock will attempt to terminate a number of security, virtualisation, and database processes. If successful it then attempts to extract user and system information to a command and control server. All files with extensions matching a hard-coded list are then encrypted using a hybrid AES-256 and RSA-2048 scheme before a new extension is appended to them.
Indicators of Compromise
SHA256 File Hashes
220.127.116.11:123 (UDP) – Note this IP shows as been Microsoft Corporation.