BitPyLock Ransomware Now Threatens to Publish Stolen Data
By Lawrence Abrams
Published: 2020-01-21 · Archived: 2026-04-05 13:02:48 UTC
A new ransomware called BitPyLock has quickly gone from targeting individual workstations to trying to compromise
networks and stealing files before encrypting devices.
BitPyLock was first discovered by MalwareHunterTeam on January 9th, 2020 and has since seen a trickle of new victims
daily.
What is interesting is that we can compare the ransom notes of earlier versions with the latest versions to see a clear
progression in the types of victims that are targeted.
https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/
Page 1 of 6

0:00
https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/
Page 2 of 6

Visit Advertiser websiteGO TO PAGE
To make matters worse, as ransomware operators begin stealing data before encrypting victims for use as leverage,
BitPyLock actors claim to be adopting this tactic as well.
The BitPyLock Ransomware
Based on our analysis, when first launched, BitPyLock will attempt to terminate any processes that contain the following
strings. This is done to terminate security software and close files being used by backup software, web server daemons,
virtual machines, and databases so that they can be encrypted.
backup, cobain, drop, drive, sql, database, vmware, virtual, agent, anti, iis, web, server, apache
While encrypting files, BitPyLock will target 346 extensions (listed in the IOCs section) and will skip any files located in
the following folders.
windows
windows.old
program files
program files (x86)
program data
$recycle.bin
system volume information
For every encrypted file, the ransomware will append the .bitpy extension as shown below. For example, a file named 1.doc
will be encrypted and renamed to 1.doc.bitpy.
Encrypted BitPyLock files
In each folder and on the Windows desktop, BitPyLock will create a ransom note named #
HELP_TO_DECRYPT_YOUR_FILES #.html that instructs the users to send a bitcoin ransom to the enclosed bitcoin
address. It then instructs the victim to email the listed address to get a decryptor.
In the sample BleepingComputer analyzed, the ransom amount was hardcoded to .8 bitcoins.
The language in the original ransom note also indicated that the attackers were targeting individual machines rather than
networks.
https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/
Page 3 of 6

Original ransom note
Strangely, the sample that we saw had a static bitcoin address in the executable, which means every victim would have the
same bitcoin address and thus it could make it impossible to determine who paid the ransom.
Evolves to network attacks and the publishing of stolen data
In a more recent version discovered by MalwareHunterTeam, the actors have changed their targeting to focus on network
compromise and the claims of stealing data before encrypting devices.
https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/
Page 4 of 6

New ransom note targeting networks
In this version of the ransom note, we can see that the attackers are targeting "all your files on all network machines". 
For entire network decryption, BitPyLock's ransom amounts are also fairly low compared to other targeted ransomware at
only approximately 5 bitcoins for the entire network.
The ransom note further states that they will release stolen data if a ransom payment is not made.
"If you do not wish to negotiate with us. We will make your company's private papers and databases public. This's is not a
joke!"
Unlike Maze Ransomware and Sodinokibi Ransomware who have already released stolen files belonging to non-paying
victims, BitPyLock has not done so at this time.
This could also just be an empty threat like ransomware operators used to make in the past. Unfortunately, there is no way to
tell anymore as more ransomware actors begin to actually release stolen data.
IOCs:
Hashes:
274011aaa97fd19ad6d993a5555c9306090da6a9b16c991739033ebb7673a244
Associated file names:
# HELP_TO_DECRYPT_YOUR_FILES #.html
Targeted Extensions:
.frx, .jin, .xls, .xlsx, .pdf, .doc, .docx, .ppt, .pptx, .log, .txt, .gif, .png, .conf, .data, .dat, .dwg, .asp, .aspx, .
https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/
Page 5 of 6

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/
https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/
Page 6 of 6