{
	"id": "d86293be-ea4b-42ad-b27f-7a1cb0e958fb",
	"created_at": "2026-04-06T01:32:12.503785Z",
	"updated_at": "2026-04-10T03:20:32.79425Z",
	"deleted_at": null,
	"sha1_hash": "6153384fd1e693d2bda8b190866325c14e6437e4",
	"title": "Bit Paymer Ransomware Hits Scottish Hospitals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1906002,
	"plain_text": "Bit Paymer Ransomware Hits Scottish Hospitals\r\nBy Catalin Cimpanu\r\nPublished: 2017-08-29 · Archived: 2026-04-06 00:40:33 UTC\r\nSeveral hospitals part of the NHS Lanarkshire board were hit on Friday by a version of the Bit Paymer ransomware.\r\nThe NHS Lanarkshire board includes hospitals such as Hairmyres Hospital in East Kilbride, Monklands Hospital in Airdrie\r\nand Wishaw General Hospital.\r\nAffected systems fixed over the weekend\r\nThe infection took root on late Friday, August 25. NHS Lanarkshire officials acknowledged the incident right away.\r\nhttps://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe next day, board officials issued a statement revealing they had the situation under control, and they were currently\r\nrestoring affected systems, an operation they estimated would take until Monday.\r\n\"Unfortunately a small number of procedures and appointments have been canceled as a result of the incident,\" said NHS\r\nLanarkshire chief executive Calum Campbell.\r\nBit Paymer active since at least June 2017\r\nThe Bit Paymer ransomware — sometimes also spelled as Bitpaymer — first came to Bleeping Computer's attention on July\r\n11, when security researcher Michael Gillespie tweeted a link to a sample uploaded on VirusTotal, a web-based file scanning\r\nservice.\r\nFellow researcher MalwareHunter told Bleeping Computer today in a private conversation that following the NHS\r\nLanarkshire attacks, more samples were found on VirusTotal going back to June 21, 2017, hinting that more campaigns\r\nmight have taken place before the NHS Lanarkshire incident.\r\nUnlike most ransomware we see today, Bit Paymer is well coded and appears to be the work of experienced programmers.\r\nBit Paymer spread via RDP brute-force attacks\r\nAn Emsisoft security researcher who goes online by the pseudonym of xXToffeeXxbelieves the ransomware is installed\r\nafter attackers performed brute-force attacks on exposed RDP endpoints.\r\nAfter gaining access to one system, attackers move laterally on the breached network and install Bit Paymer manually on\r\neach compromised system.\r\nAccording to Gillespie, the ransomware encrypts files with a combination of RC4 and RSA-1024 encryption algorithms.\r\nThe researcher says there's currently no way to decrypt files locked by the Bit Paymer ransomware.\r\nRansomware asks for a whopping $230,000 ransom payment\r\nThe ransomware appends the \".locked\" string at the end of each encrypted file name. A file named \"image.png\" will become\r\n\"image.png.locked\".\r\nBit Paymer also generates text files holding the ransom note and drops them all over the filesystem, where it encrypted files.\r\nThe ransom note instructs victims to connect to a Tor-based portal where victims can pay to recover their files.\r\nhttps://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/\r\nPage 3 of 6\n\nThis site also holds the ransom demand. Just like similar ransomware strains installed via targeted attacks, Bit Paymer asks\r\nfor astronomical ransom demands. In samples observed in the past, this was of 53 Bitcoin, which is $230,000 at today's\r\nexchange rate. In other cases observed by xXToffeeXx, the ransom was smaller, of only 20 Bitcoin. \"They do change the\r\nransom amount depending on the victims,\" the researcher said.\r\nBit Paymer is also very strange in the way it handles ransom payments. The group behind this ransomware wants victims to\r\nsend three 1 Bitcoin \"confirmation\" transactions before sending the full payment. This is most likely to prevent victims from\r\nsending the bulk of the sum to the wrong Bitcoin address.\r\nA focus on large companies\r\nOther ransomware families that we've seen in the past manually installed on targets' systems after RDP brute-force attacks\r\ninclude RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi,\r\nAura/BandarChor, ACCDFISA, or Globe.\r\n\"The interesting thing about Bitpaymer is that they are specifically targeting companies, and not just any companies, quite\r\nbig companies,\" xXToffeeXx explains. \"This is quite different to most other RDP company targeting ransomware. Reminds\r\nme of SamSam.\"\r\nBit Paymer should not be confused with the Defray ransomware, which Proofpoint researchers discovered last week\r\ntargeting healthcare organizations. According to a Proofpoint report, Defray is spread via email spam, not RDP brute-force\r\nattacks.\r\nTwo weeks ago, Malwarebytes researcher Hasherezade uploaded a video on YouTube detailing the process of unpacking the\r\nBitPaymer ransomware payload. The video can prove helpful for researchers looking to analyze the threat.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIOCs:\r\nhttps://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/\r\nPage 4 of 6\n\nSHA256 Hashes:\r\n1c0ffdaddec1eca9a9a5ef5192151dbce8ccd8e31a84c51d70f5a5c64f07a363\r\nd693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2\r\nRansom note:\r\nYOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED!\r\nAll files are encrypted. We accept only bitcoins to share the decryption software for your network.\r\nAlso, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with me\r\nIt may harm your business reputation and the company's capitalization fell sharply.\r\nDo not try to do it with 3rd-parties programs, files might be damaged then.\r\nDecrypting of your files is only possible with the special decryption software.\r\nTo receive your private key and the decryption software please follow the link (using tor2web service):\r\n[REDACTED URL]\r\nIf this address is not available, follow these steps:\r\n1. Download and install Tor Browser: hxxps://www.torproject.org/projects/torbrowser.html.en\r\n2. After a successful installation, run the browser and wait for initialization.\r\n3. Type in the address bar: [REDACTED URL]\r\n4. Follow the instructions on the site\r\n5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely.\r\n6. Any questions: [REDACTED EMAIL]\r\nBit Paymer payment site:\r\nBit paymer\r\nWelcome to the ransom page!\r\nTo get the decryption software and the private key for every single infected computer in your network please follow the on\r\n1. Please register a Bitcoin wallet. Here are the options:\r\n- Blockchain Online Wallet (the easiest way)\r\n- Other options (for advanced users)\r\n- Send via Bitcoin exchanger directly to the ransom wallet.\r\n2. To buy the Bitcoins please use either of options below:\r\n- localBitcoins.com Buy Bitcoins with Western Union and several alternative methods.\r\n- btc-e.com Western Union, Cash, Bank Wire, etc.\r\n- coincafe.com Recommended for fast, simple service.\r\n- coinbase.com Western Union, Bank of America, Cash by FedEx, Moneygram, Money Order. In NYC: Bitcoin ATM, in person.\r\n- localBitcoins.com Service allows you to search for people in your community willing to sell Bitcoins to you directly.\r\n- cex.io Buy Bitcoins with VISA/MASTERCARD or wire transfer.\r\n- btcdirect.eu The best for Europe.\r\n- bitquick.co Buy Bitcoins instantly for cash.\r\n- howtobuyBitcoins.info An international directory of Bitcoin exchanges.\r\n- cashintocoins.com Bitcoin for cash.\r\n- coinjar.com CoinJar allows direct Bitcoin purchases on their site.\r\n- anxpro.com\r\n- bittylicious.com\r\n3. Get bitcoin wallet for payment (bitcoin address valid for 12 hours, if 12 hours passed please get the new wallet)\r\n4. Send 50 BTC to the bitcoin address\r\n[REDACTED WALLET] (must be sent in 1 transaction!)\r\nhttps://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/\r\nPage 5 of 6\n\nPlease note that we require 3 Bitcoin transaction confirmations.\r\n- To view the current status of your transaction please follow the link: hxxps://blockchain.info/address/[REDACTED WALLET]\r\n- Once the transaction passed 3 confirmations please refresh the page and you will be granted to download the decryption s\r\n- If something goes wrong please contact us via email: [REDACTED EMAIL]\r\n- We can decrypt 2-3 non-important light-weight files before you pay, send'em to email: [REDACTED EMAIL]\r\n4. Please be advised that the ransom amount may be raised after 48 hours since your first visit if no payment received. In\r\nYour company is secure enough, but we may tell you what is wrong after payment being processed. Good Luck!\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/\r\nhttps://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/"
	],
	"report_names": [
		"bit-paymer-ransomware-hits-scottish-hospitals"
	],
	"threat_actors": [],
	"ts_created_at": 1775439132,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6153384fd1e693d2bda8b190866325c14e6437e4.pdf",
		"text": "https://archive.orkl.eu/6153384fd1e693d2bda8b190866325c14e6437e4.txt",
		"img": "https://archive.orkl.eu/6153384fd1e693d2bda8b190866325c14e6437e4.jpg"
	}
}