BitPyLock Ransomware

The BitPyLock Ransomware was discovered by MalwareHunterTeam on January 9th 2020 and has since seen a new infections grow on a daily basis.

This ransomware attempts to steal sensitive information from systems before encryption. Believed to have first been created to target individual users, it has now evolved to target entire networks, with its operators using the extracted information to coerce affected organisations to pay their ransom demands.

There are unconfirmed reports indicating that this may be distributed via watering-hole attacks or through targeted spam campaigns.

Once delivered, BitPyLock will attempt to terminate a number of security, virtualisation, and database processes. If successful it then attempts to extract user and system information to a command and control server. All files with extensions matching a hard-coded list are then encrypted using a hybrid AES-256 and RSA-2048 scheme before a new extension is appended to them.

Indicators of Compromise

SHA256 File Hashes

  • 274011aaa97fd19ad6d993a5555c9306090da6a9b16c991739033ebb7673a244

IP Address

40.81.188.85:123 (UDP) – Note this IP shows as been Microsoft Corporation.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: