BitPyLock Ransomware Now Threatens to Publish Stolen Data (Jan 21, 2020)
A new ransomware called “BitPyLock” has been discovered by researchers from the MalwareHunterTeam. Once executed, BitPyLock will try to stop any processes with strings relating to security software as well as closing any files used for databases, user backups, virtual machines, web server daemons, and virtual machines so that they can be encrypted for ransom. BitPyLock will target 346 file extensions for encryption. The ransomware also creates a ransom note called “HELP_TO_DECRYT_YOUR_FILES.html” that details how end users can send the bitcoin ransom to the specified bitcoin address.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.