CYBER NEWS

Avast Develops BTCWare Ransomware Decrypter

Victims of the BTCWare ransomware now have a way to decrypt their files for free using the decryption tool developed by Avast.

Related Story: Find Decryption Key for Files Encrypted by Ransomware

Avast Develops BTCWare Decrypter

BTCWare is a ransomware strain that first appeared in March 2017, Avast researchers say. Since then, they have observed five variants, that can be distinguished by the encrypted file extension. As for the encryption algorithms, the ransomware is known to use two different encryption methods – RC4 and AES 192.

The ransomware demands approximately 0.5 BTC in ransom for the decryption of files which have the .btcware, .cryptobyte, .cryptowin, .theva and .onyon extensions appended to them. It’s very important for ransomware victims to understand that paying the ransom is never a good idea as it only fuels cybercrime and enables future ransomware campaigns. Luckily, this time Avast researchers were able to come up with a decryption tool to help BTCWare victims get their files back without spending any money.

As already mentioned, the ransomware was detected infecting computers a few months ago. Since then, five variants of it have been spotted. The variants can be distinguished based on the extension appended to the encrypted files:

– foobar.docx.[sql772@aol.com].heva
– foobar.docx.[no.xop@protonmail.ch].cryptobyte
– foobar.bmp.[no.btc@protonmail.ch].cryptowin
– foobar.bmp.[no.btcw@protonmail.ch].btcware
– foobar.docx.onyon.

The ransomware has been using the FileName.Extension.[Email].Ext2 scheme since it was first detected. However, a new variant was unearthed recently dubbed Onyonware, and it doesn’t use a contact email address in the file name.


BTCWare Ransomware Short Description

Once the ransomware infection is initiated, it will generate a random password which is used to create the encryption key. This password is encrypted with a public key and is shown as a User ID in the ransom files, researchers explain.

Once the victim’s files are all encrypted, the ransomware will change the desktop wallpaper with the ransom note, and will also drop a note in each folder on the machine. The note contains information on how the victims can get their files back, and threatens them that the decryption key will be deleted in three days making it impossible to decrypt the files.

As for the decrypter developed by Avast, it doesn’t use the master private key which was made public several weeks ago. The security company built their tool using brute force to retrieve the password. You can check out Avast’s decrypter here.

Check Out SensorsTechForum’s Decryption Instructions for BTCWare:
Decrypt Files Encrypted by BTCWare Ransomware
Decrypt .cryptowin Files Encrypted by BTCWare Ransomware
Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...