S0570: BitPaymer
BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[1]
Analyst context for executives and security teams
BitPaymer is a Windows ransomware variant associated in ATT&CK with targeted operations where each operation used unique encryption keys, ransom notes, and contact information. For leaders, the practical issue is not only file encryption: the related ATT&CK behaviors show discovery, privilege escalation, persistence, registry and service changes, recovery inhibition, and stealth techniques that can precede or support a disruptive ransomware event.
Executive priority
Treat BitPaymer as a ransomware-readiness test case for Windows environments. Priority questions include: can the organization detect discovery and privilege escalation before encryption, can incident response preserve evidence when ransomware uses unique per-operation artifacts, and can recovery proceed if local recovery mechanisms are inhibited. The Dridex delivery/overlap noted by ATT&CK also makes malware-to-ransomware escalation a relevant threat intelligence and response-planning scenario, without assuming current exposure.
Technical view
ATT&CK lists BitPaymer on Windows and relates it to techniques including System Service Discovery, Query/Modify Registry, Remote System Discovery, Local Account Discovery, Network Share Discovery, Native API use, Token Impersonation/Theft, Windows permissions changes, execution guardrails, timestomping, NTFS file attributes, Windows service and Run Key persistence, UAC bypass, Data Encrypted for Impact, and Inhibit System Recovery. SOC and IR teams should validate visibility across Windows endpoint process activity, service and registry changes, account/token-related privilege events, share and remote-system enumeration, file timestamp/attribute anomalies, recovery-control tampering, and mass file modification/encryption behavior.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Registry query and modification events
- Windows service creation or modification records
- Startup folder and Registry Run Key monitoring
- Local account and group enumeration evidence
Detection direction
- Correlate discovery activity with later persistence, privilege escalation, recovery inhibition, and encryption indicators rather than relying on a single ransomware signature.
- Tune Windows registry and service monitoring for unusual creation or modification paths, while accounting for legitimate administrative and software deployment activity.
- Validate coverage for network share discovery and remote system enumeration, because ransomware impact often depends on locating reachable systems and shared data.
- Review file integrity and EDR logic for timestomping, NTFS attribute use, ACL changes, and high-volume file rewrites; these signals can be noisy unless tied to process lineage and user context.
- Because ATT&CK provides no official detection text for BitPaymer, local baselining and incident-derived indicators are necessary to convert the technique relationships into reliable detections.
Mitigation priorities
- Prioritize resilient, tested backups and recovery procedures, including scenarios where local recovery features are disabled or removed.
- Harden Windows administrative paths: restrict local administrator rights, monitor privilege elevation, and reduce opportunities for token impersonation and UAC bypass.
- Limit ransomware blast radius by controlling access to network shares, reviewing permissions, and segmenting critical systems where feasible.
- Protect and monitor persistence locations such as Windows services, Registry Run Keys, and startup folders.
- Ensure malware response playbooks account for possible Dridex-to-ransomware progression noted by ATT&CK, including rapid containment, credential review, and preservation of endpoint evidence.
Analyst notes and limits
ATT&CK identifies BitPaymer as first observed in August 2017 targeting hospitals in the U.K., with overlap with Dridex and frequent delivery via Dridex, citing CrowdStrike reporting. ATT&CK also relates the malware to Indrik Spider use and multiple Windows-relevant techniques. Use these relationships to guide defensive validation, not as proof of activity in any specific environment.
The supplied ATT&CK object has no official detection guidance, no explicit tactics on the malware object itself, and limited external reference detail beyond the CrowdStrike source. Several related techniques are broad ATT&CK behaviors, so environment-specific telemetry, baselines, and incident evidence are required before making coverage or exposure claims.
BitPaymer
BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1018 | Remote System Discovery | BitPaymer can use |
| Enterprise | T1480 | Execution Guardrails | BitPaymer compares file names and paths to a list of excluded names and directory names during encryption.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | BitPaymer can use |
| Enterprise | T1486 | Data Encrypted for Impact | BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1070.006 | Timestomp Sub-technique | BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | BitPaymer has set the run key |
| Enterprise | T1135 | Network Share Discovery | BitPaymer can search for network shares on the domain or workgroup using |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | BitPaymer can use the tokens of users to create processes on infected systems.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1012 | Query Registry | BitPaymer can use the RegEnumKeyW to iterate through Registry keys.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1490 | Inhibit System Recovery | BitPaymer attempts to remove the backup shadow files from the host using |
| Enterprise | T1543.003 | Windows Service Sub-technique | BitPaymer has attempted to install itself as a service to maintain persistence.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | BitPaymer can suppress UAC prompts by setting the |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | BitPaymer has copied itself to the |
| Enterprise | T1007 | System Service Discovery | BitPaymer can enumerate existing Windows services on the host that are configured to run as LocalSystem.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1087.001 | Local Account Sub-technique | BitPaymer can enumerate the sessions for each user logged onto the infected host.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1112 | Modify Registry | BitPaymer can set values in the Registry to help in execution.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1106 | Native API | BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including |
Groups, software, and campaigns
G0119: Indrik Spider
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 83fff0315921… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Crowdstrike Indrik November 2018
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
Open source URL -
[2]
BitPaymer
(Citation: Crowdstrike Indrik November 2018)
-
[3]
FriedEx
(Citation: Crowdstrike Indrik November 2018)
-
[4]
mitre-attack S0570Open source URL
-
[5]
wp_encrypt
(Citation: Crowdstrike Indrik November 2018)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.