Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 18:39:02 UTC
 Tool: BitPaymer
Names
BitPaymer
FriedEx
IEncrypt
wp_encrypt
Category Malware
Type Ransomware, Credential stealer, Big Game Hunting
Description
(IBM) The submitted file is a custom packed BitPaymer ransomware loader that is
designed to run on Windows 7 or above or any version of Windows server. The loader
uses Alternate Data Streams to hide its tracks and service hijacking to maintain
persistence. The loader uses RC4 to decrypt its configuration data.
The BitPaymer ransomware is used to encrypt files based on the settings from the
configuration data. It has the ability to encrypt local and remote disks and can whitelist
various file types that are not to be encrypted. The ransom note follows the same general
outline as that of other ransomware families; however, BitPaymer is customized to the
company or victim being attacked and contains their names in the configuration data
itself.
Information

dridex-authors/>
MITRE ATT&CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022
Download this tool card in JSON format
All groups using tool BitPaymer
Changed Name Country Observed
APT groups
 Indrik Spider 2007-Oct 2024
1 group listed (1 APT, 0 other, 0 unknown)
↑
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1d7f3d66-005d-426f-925e-a31a2a49cb46
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1d7f3d66-005d-426f-925e-a31a2a49cb46
Page 2 of 2