Lanarkshire NHS infection named as Bitpaymer variant

The ransomware that infected computers at the UK National Health Service's Lanarkshire outpost, causing an outage that lasted most of last weekend, has been tagged as a ransomware that demanded 53 Bitcoin for files to be decrypted.

There's no evidence that the NHS district paid up, which isn't surprising because at current Bitcoin rates, that demand equated to nearly £190,000.

As we reported on Monday, the infection's biggest impact was to take down a phone system and a staff rostering system. Hospitals hit by the ransomware had to cancel some surgical procedures and their emergency departments operated at reduced capacity.

Bitpaymer non-decryptable status* can't be cracked without the attacker's key, as was discovered back in July, when organisations like VirusTotal first started capturing and analysing samples.

Confirmed Bitpaymer #ransomware is not decryptable. 😞 CryptGenRandom RC4 per file + RSA-1024. Thanks for analysis @FraMauronz https://t.co/TUpzYUDbhT

— Michael Gillespie (@demonslay335) July 14, 2017

There's also a detailed presentation of the ransomware in this Russian-language blog. That post says infection takes place after brute-forcing Microsoft's Remote Desktop Protocol on Internet-exposed endpoints.

Files encrypted by Bitpaymer have .locked appended to their filenames, and “Read Me” files containing the ransom note and payment instructions are dropped all over the filesystem. ®

Bootnote: Thanks to @MalwareHunterTeam and @FraMauronz for correcting the author about decrypting the malware: their intention in July was to say there isn't a way to unlock files without the attacker's key.