{
	"id": "43ebdd6f-dc96-46dd-82f7-b65b62b3f1b7",
	"created_at": "2026-04-06T00:07:34.584405Z",
	"updated_at": "2026-04-10T13:12:28.087518Z",
	"deleted_at": null,
	"sha1_hash": "58d00d7fefa29f82bd28c8ab0ed9ed8bd95a901b",
	"title": "BitPyLock Ransomware Now Threatens to Publish Stolen Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1698095,
	"plain_text": "BitPyLock Ransomware Now Threatens to Publish Stolen Data\r\nBy Lawrence Abrams\r\nPublished: 2020-01-21 · Archived: 2026-04-05 13:02:48 UTC\r\nA new ransomware called BitPyLock has quickly gone from targeting individual workstations to trying to compromise\r\nnetworks and stealing files before encrypting devices.\r\nBitPyLock was first discovered by MalwareHunterTeam on January 9th, 2020 and has since seen a trickle of new victims\r\ndaily.\r\nWhat is interesting is that we can compare the ransom notes of earlier versions with the latest versions to see a clear\r\nprogression in the types of victims that are targeted.\r\nhttps://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nTo make matters worse, as ransomware operators begin stealing data before encrypting victims for use as leverage,\r\nBitPyLock actors claim to be adopting this tactic as well.\r\nThe BitPyLock Ransomware\r\nBased on our analysis, when first launched, BitPyLock will attempt to terminate any processes that contain the following\r\nstrings. This is done to terminate security software and close files being used by backup software, web server daemons,\r\nvirtual machines, and databases so that they can be encrypted.\r\nbackup, cobain, drop, drive, sql, database, vmware, virtual, agent, anti, iis, web, server, apache\r\nWhile encrypting files, BitPyLock will target 346 extensions (listed in the IOCs section) and will skip any files located in\r\nthe following folders.\r\nwindows\r\nwindows.old\r\nprogram files\r\nprogram files (x86)\r\nprogram data\r\n$recycle.bin\r\nsystem volume information\r\nFor every encrypted file, the ransomware will append the .bitpy extension as shown below. For example, a file named 1.doc\r\nwill be encrypted and renamed to 1.doc.bitpy.\r\nEncrypted BitPyLock files\r\nIn each folder and on the Windows desktop, BitPyLock will create a ransom note named #\r\nHELP_TO_DECRYPT_YOUR_FILES #.html that instructs the users to send a bitcoin ransom to the enclosed bitcoin\r\naddress. It then instructs the victim to email the listed address to get a decryptor.\r\nIn the sample BleepingComputer analyzed, the ransom amount was hardcoded to .8 bitcoins.\r\nThe language in the original ransom note also indicated that the attackers were targeting individual machines rather than\r\nnetworks.\r\nhttps://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/\r\nPage 3 of 6\n\nOriginal ransom note\r\nStrangely, the sample that we saw had a static bitcoin address in the executable, which means every victim would have the\r\nsame bitcoin address and thus it could make it impossible to determine who paid the ransom.\r\nEvolves to network attacks and the publishing of stolen data\r\nIn a more recent version discovered by MalwareHunterTeam, the actors have changed their targeting to focus on network\r\ncompromise and the claims of stealing data before encrypting devices.\r\nhttps://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/\r\nPage 4 of 6\n\nNew ransom note targeting networks\r\nIn this version of the ransom note, we can see that the attackers are targeting \"all your files on all network machines\". \r\nFor entire network decryption, BitPyLock's ransom amounts are also fairly low compared to other targeted ransomware at\r\nonly approximately 5 bitcoins for the entire network.\r\nThe ransom note further states that they will release stolen data if a ransom payment is not made.\r\n\"If you do not wish to negotiate with us. We will make your company's private papers and databases public. This's is not a\r\njoke!\"\r\nUnlike Maze Ransomware and Sodinokibi Ransomware who have already released stolen files belonging to non-paying\r\nvictims, BitPyLock has not done so at this time.\r\nThis could also just be an empty threat like ransomware operators used to make in the past. Unfortunately, there is no way to\r\ntell anymore as more ransomware actors begin to actually release stolen data.\r\nIOCs:\r\nHashes:\r\n274011aaa97fd19ad6d993a5555c9306090da6a9b16c991739033ebb7673a244\r\nAssociated file names:\r\n# HELP_TO_DECRYPT_YOUR_FILES #.html\r\nTargeted Extensions:\r\n.frx, .jin, .xls, .xlsx, .pdf, .doc, .docx, .ppt, .pptx, .log, .txt, .gif, .png, .conf, .data, .dat, .dwg, .asp, .aspx, .\r\nhttps://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/\r\nhttps://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/"
	],
	"report_names": [
		"bitpylock-ransomware-now-threatens-to-publish-stolen-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434054,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58d00d7fefa29f82bd28c8ab0ed9ed8bd95a901b.pdf",
		"text": "https://archive.orkl.eu/58d00d7fefa29f82bd28c8ab0ed9ed8bd95a901b.txt",
		"img": "https://archive.orkl.eu/58d00d7fefa29f82bd28c8ab0ed9ed8bd95a901b.jpg"
	}
}