A new ransomware called BitPyLock has quickly gone from targeting individual workstations to trying to compromise networks and stealing files before encrypting devices. Off-Late, this attack has also resorted to “Targeted Attack”. The infection of which restricts access to files and also the attacker demands ransom to enable decrypting of the files/data. It adds the .bitpy extension to encrypted files. If you see such an extension in the file name, then you cannot use them until BitPyLock is on your computer. Further, BitPyLock tries to extort money from users, asking for money in Bitcoin in exchange for access to files. Encrypted files include images, videos and files, .doc, .docx, .xls, .pdf and others.
BitPyLock was first discovered by MalwareHunterTeam on January 9th, 2020 and has since seen proliferation of the same across retail users. What is interesting is that we can compare the ransom notes of earlier versions with the latest versions to see a clear progression in the types of victims that are targeted. To make matters worse, as ransomware operators begin stealing data before encrypting victims for use as leverage, BitPyLock actors claim to be adopting this tactic as well.
Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:
When the infection is complete, the virus will send a message about extorting money. This is a common trick used by scammers to convince people that the only way to get files back is to pay developers. In fact, the only safe way is to remove BitPyLock. If you decide to get rid of BitPyLock by paying money to developers, you will not succeed.
There are many other Ransomware that have been making rounds in the environment, Quimera, Ako, Clown, WannaScream, etc are few of them. These viruses are designed to encrypt data and demand payment for its decryption. The infection can be either using the symmetric or asymmetric form of cryptographic algorithm. A Ransomware Attack is sometimes inevitable, hence the best way to protect one is to maintain regular practice of taking a sanitized backup and isolation of the same on an unplugged storage medium.
There are companies in India that have tried their hands at decryption through conventional means, as the efforts to obtain the decryption key from the attacker even after making the requisite payment has be futile. There are entities in India, who have tried recovery through unconventional means, and have hit success. Cyber Secure India can help you to interface with companies to undertake your task.
eSF Labs Ltd is one among the few expert entities in India which have provided services both to domestic and international clients in the recent “Ryuk ransomware” Attack and few others, in the recent past. eSF Labs Ltd, can also assist in identifying the root cause, initiate cleanup actions of the the networks, sanitise the IT infrastructure and also provide quick recovery for Business Continuity of the Enterprise/ Individual on which the attack has been targeted.