Avast Develops BTCWare Ransomware Decrypter

Victims of the BTCWare ransomware now have a way to decrypt their files for free using the decryption tool developed by Avast.

Avast Develops BTCWare Decrypter

BTCWare is a ransomware strain that first appeared in March 2017, Avast researchers say. Since then, they have observed five variants, that can be distinguished by the encrypted file extension. As for the encryption algorithms, the ransomware is known to use two different encryption methods – RC4 and AES 192.

The ransomware demands approximately 0.5 BTC in ransom for the decryption of files which have the .btcware, .cryptobyte, .cryptowin, .theva and .onyon extensions appended to them. It’s very important for ransomware victims to understand that paying the ransom is never a good idea as it only fuels cybercrime and enables future ransomware campaigns. Luckily, this time Avast researchers were able to come up with a decryption tool to help BTCWare victims get their files back without spending any money.

As already mentioned, the ransomware was detected infecting computers a few months ago. Since then, five variants of it have been spotted. The variants can be distinguished based on the extension appended to the encrypted files:

– foobar.docx.[sql772@aol.com].heva
– foobar.docx.[no.xop@protonmail.ch].cryptobyte
– foobar.bmp.[no.btc@protonmail.ch].cryptowin
– foobar.bmp.[no.btcw@protonmail.ch].btcware
– foobar.docx.onyon.

The ransomware has been using the FileName.Extension.[Email].Ext2 scheme since it was first detected. However, a new variant was unearthed recently dubbed Onyonware, and it doesn’t use a contact email address in the file name.

BTCWare Ransomware Short Description

Once the ransomware infection is initiated, it will generate a random password which is used to create the encryption key. This password is encrypted with a public key and is shown as a User ID in the ransom files, researchers explain.

Once the victim’s files are all encrypted, the ransomware will change the desktop wallpaper with the ransom note, and will also drop a note in each folder on the machine. The note contains information on how the victims can get their files back, and threatens them that the decryption key will be deleted in three days making it impossible to decrypt the files.

As for the decrypter developed by Avast, it doesn’t use the master private key which was made public several weeks ago. The security company built their tool using brute force to retrieve the password. You can check out Avast’s decrypter here.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me: