LTS Secure Warning: Guidelines to remove BitPaymer Ransomware

BitPaymer Ransomware was first detected in July 2017 and is also known as FriedEx. This crypto-virus uses RC4 and 1024-bit RSA encryption algorithm and .locked file extension to make the data unusable. In 2018, the new versions emerged with some new features. Like targeting high profile victims and corporation through remote desktop protocol (RDP) brute force attack.

BitPaymer is a Ransomware-type cyber threat that is designed to encrypt files on the affected computers or networks, and demand to pay the ransom in exchange for the release of the file. The BitPaymer virus has been created by the same group of hackers who are responsible for Dridex banking Trojan.

Technical Details

When BitPaymer is executed, registry entries and several files are dropped into the computer. This ensures that the virus regularly loads on Windows boot up. Next, the virus will modify files on the computer like documents, images, video, and audio. Associated programs may not execute either run the file, and errors will appear on the screen if executed. It is apparent that money is the root of the existence of BitPaymer. As long as authors keep on receiving payment from thousands of victims, this activity will never stop.

BitPaymer has a unique feature and creates a unique ransom note for each encrypted file. The name of the ransom note consists of the original filename and .readme_txt extension.


BitPaymer uses a unique hiding mechanism that exploits alternate data streams (ADS), a feature of an NTFS file system that allows it to hide itself from plain sight.

Earlier versions of BitPaymer hid their own files by adding themselves to blank files as an ADS. The latest version copies a clean Windows system executable to application data folder and then adds a copy of itself as an ADS stream to that copy of the clean executable file. This can evade security tools that are not able to look into ADS.

The Ransomware also tries to delete backup files like other Ransomware.

Recommended Actions

If you are one of those unfortunate victims whose computers were compromised by this virus, you must remove BitPaymer as soon as you can. We suggest going the easy way and running a system scan using anti-malware software. If you do not have it yet, firstly reboot your PC into Safe Mode with Networking. You can find comprehensive instructions on how to do it below.

Do not try to perform a manual BitPaymer removal. It can only be completed by experienced IT professionals that have experience in dealing with malware like Ransomware. Attempts to uninstall Ransomware can result in failure and cause you many problems.


Best way to remove BitPaymer Ransomware from your system and recover your locked files, click on link Guideline to remove BitPaymer Ransomware.

LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013

Leave us a messages Leave us a messages

← Prev Step

Thanks for contacting us. We'll get back to you as soon as we can.

Please provide a valid name, email, and question.

Powered by LivelyChat
Powered by LivelyChat Delete History