BTCamant Ransomware – Remove and Restore .BTC Files

BTCamant Ransomware – Remove and Restore .BTC Files

This article will help you remove BTCamant ransomware in full. Follow the ransomware removal instructions provided at the end of the article.

BTCamant ransomware is a cryptovirus which is a variant of Radamant, according to researchers. All of your files will become encrypted and get the extension .BTC appended to them after the encryption process is finished. Next, the BTCamant ransomware will display a ransom note in a directory with encrypted files. Read on to see how you could try to restore some of your files.

Threat Summary

NameBTCamant
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer and puts a ransom note afterward in a directory with encrypted files.
SymptomsThe ransomware will encrypt your files and append the .BTC extension on each one of those files when the encryption is set and done.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by BTCamant

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BTCamant.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BTCamant Ransomware – Distribution

BTCamant ransomware might be distributed by using various methods. The payload file which executes the malicious script for the ransomware that ends up infecting your computer machine has been seen in the wild. You could preview how many detections it has from the screenshot down here, taken from the VirusTotal service:

The BTCamant ransomware can also be using social media sites and file-share networks for further distributing that payload file. Programs which are freeware could be advertised on the Internet as useful, but also might hide the malicious script of this cryptovirus. Refrain from immediately opening files when you have downloaded them. Even more so, if they are from suspicious links, emails and other sources. Instead, you should commence a scan of the files. Run some security application and scan them, while also checking for anything unusual about their size or signatures. You might want to give a read to the ransomware prevention tips topic that is in the designated forum section.

BTCamant Ransomware – Description

The BTCamant ransomware is a cryptovirus. A recent sample of the ransomware was discovered by the malware researcher Karsten Hahn. He and more researchers state that the virus is a variant of the Radamant ransomware.

BTCamant ransomware can make Windows Registry entry for achieving a higher level of persistence. Those registry entries are designed in such a way to launch the cryptovirus automatically with every single start of the Windows operating system.

The ransom note will be put inside a directory with encrypted files once that encryption process is complete. The note with the demands of the cybercriminals, such as the ransom price, and other instructions or demands for decrypting your files is located in these files:

  • BTC_DECRYPT_FILES.html
  • BTC_DECRYPT_FILES.txt

That ransom note’s message might have variations of the message, but the newer one states the following:

Hello!
For getting back Your PC data You need to contact with us through email as soon as possible: [email protected] , [email protected]

That note may differ with other samples of the ransomware. For example, here is another one, which is older:

All your files on hard drives, removable media and network shares have been cryptographically encrypted.
Expansion of encrypted files: .BTC [other extensions might be provided]

To date, the encryption algorithm is not possible to decrypt.
Learn more about the algorithm can be here: Wikipedia

The crooks who spread the BTCamant ransomware should NOT in any circumstance be contacted or paid. By paying, you do not guarantee the recovery of your files, and also, nothing else can give you that guarantee. Your files may not get restored to their previous state. Moreover, funding the criminal activity of those cybercriminals will be like supporting them and encouraging them to do similar evil deeds.

Down here you can see a list of extensions which the Radamant virus searched to encrypt and is believed that the same list is also used by the BTCamant ransomware.

→.1cd, .dbf, .dt, .cf, .cfu, .mxl, .epf, .kdbx, .erf, .vrp, .grs, .geo, .st, .pff, .mft, .efd, .3dm, .3ds, .rib, .ma, .sldasm, .sldprt, .max, .blend, .lwo, .lws, .m3d, .mb, .obj, .x, .x3d, .movie.byu, .c4d, .fbx, .dgn, .dwg, .4db, .4dl, .4mp, .abs, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adn, .a3d, .adp, .aft, .ahd, .alf, .ask, .awdb, .azz, .bdb, .bib, .bnd, .bok, .btr, .bak, .backup, .cdb, .ckp, .clkw, .cma, .crd, .dacpac, .dad, .dadiagrams, .daf, .daschema, .db, .db-shm, .db-wal, .db2, .db3, .dbc, .dbk, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .df1, .dmo, .dnc, .dp1, .dqy, .dsk, .dsn, .dta, .dtsx, .dxl, .eco, .ecx, .edb, .emd, .eql, .fcd, .fdb, .fic, .fid, .fil, .fm5, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .fpt, .fzb, .fzv, .gdb, .gwi, .hdb, .his, .ib, .idc, .ihx, .itdb, .itw, .jtx, .kdb, .lgc, .maq, .mdb, .mdbhtml, .mdf, .mdn, .mdt, .mrg, .mud, .mwb, .s3m, .myd, .ndf, .ns2, .ns3, .ns4, .nsf, .nsf, .nv2, .nyf, .oce, .odb, .oqy, .ora, .orx, .owc, .owg, .oyx, .p96, .p97, .pan, .pdb, .pdb, .pdb, .pdm, .phm, .pnz, .pth, .pwa, .qpx, .qry, .qvd, .rctd, .rdb, .rpd, .rsd, .sbf, .sdb, .sdb, .sdb, .sdf, .spq, .sqb, .stp, .sql, .sqlite, .sqlite3, .sqlitedb, .str, .tcx, .tdt, .te, .teacher, .tmd, .trm, .udb, .usr, .v12, .vdb, .vpd, .wdb, .wmdb, .xdb, .xld, .xlgc, .zdb, .zdc, .cdr, .cdr3, .ppt, .pptx, .1st, .abw, .act, .aim, .ans, .apt, .asc, .ascii, .ase, .aty, .awp, .awt, .aww, .bad, .bbs, .bdp, .bdr, .bean, .bib, .bna, .boc, .btd, .bzabw, .chart, .chord, .cnm, .crd, .crwl, .cyi, .dca, .dgs, .diz, .dne, .doc, .doc, .docm, .docx, .docxml, .docz, .dot, .dotm, .dotx, .dsv, .dvi, .dx, .eio, .eit, .email, .emlx, .epp, .err, .err, .etf, .etx, .euc, .fadein, .faq, .fb2, .fbl, .fcf, .fdf, .fdr, .fds, .fdt, .fdx, .fdxt, .fes, .fft, .flr, .fodt, .fountain, .gtp, .frt, .fwdn, .fxc, .gdoc, .gio, .gio, .gpn, .gsd, .gthr, .gv, .hbk, .hht, .hs, .htc, .hwp, .hz, .idx, .iil, .ipf, .jarvis, .jis, .joe, .jp1, .jrtf, .kes, .klg, .klg, .knt, .kon, .kwd, .latex, .lbt, .lis, .lit, .lnt, .lp2, .lrc, .lst, .lst, .ltr, .ltx, .lue, .luf, .lwp, .lxfml, .lyt, .lyx, .man, .map, .mbox, .md5txt, .me, .mell, .min, .mnt, .msg, .mwp, .nfo, .njx, .notes, .now, .nwctxt, .nzb, .ocr, .odm, .odo, .odt, .ofl, .oft, .openbsd, .ort, .ott, .p7s, .pages, .pfs, .pfx, .pjt, .plantuml, .prt, .psw, .pu, .pvj, .pvm, .pwi, .pwr, .qdl, .rad, .readme, .rft, .ris, .rng, .rpt, .rst, .rt, .rtd, .rtf, .rtx, .run, .rzk, .rzn, .saf, .safetext, .sam, .scc, .scm, .scriv, .scrivx, .sct, .scw, .sdm, .sdoc, .sdw, .sgm, .sig, .skcard, .sla, .slagz, .sls, .smf, .sms, .ssa, .strings, .stw, .sty, .sub, .sxg, .sxw, .tab, .tdf, .tdf, .tex, .text, .thp, .tlb, .tm, .tmd, .tmv, .tmx, .tpc, .trelby, .tvj, .txt, .u3d, .u3i, .unauth, .unx, .uof, .uot, .upd, .utf8, .unity, .utxt, .vct, .vnt, .vw, .wbk, .wbk, .wcf, .webdoc, .wgz, .wn, .wp, .wp4, .wp5, .wp6, .wp7, .wpa, .wpd, .wpd, .wpl, .wps, .wps, .wpt, .wpw, .wri, .wsc, .wsd, .wsh, .wtx, .xbdoc, .xbplate, .xdl, .xdl, .xlf, .xps, .xwp, .xwp, .xwp, .xy3, .xyp, .xyw, .ybk, .yml, .zabw, .zw, .2bp, .0,36, .3fr, .0,411, .73i, .8xi, .9png, .abm, .afx, .agif, .agp, .aic, .albm, .apd, .apm, .apng, .aps, .apx, .art, .artwork, .arw, .arw, .asw, .avatar, .bay, .blkrt, .bm2, .bmp, .bmx, .bmz, .brk, .brn, .brt, .bss, .bti, .c4, .cal, .cals, .can, .cd5, .cdc, .cdg, .cimg, .cin, .cit, .colz, .cpc, .cpd, .cpg, .cps, .cpx, .cr2, .ct, .dc2, .dcr, .dds, .dgt, .dib, .dicom, .djv, .djvu, .dm3, .dmi, .vue, .dpx, .wire, .drz, .dt2, .dtw, .dvl, .ecw, .eip, .erf, .exr, .fal, .fax, .fil, .fpos, .fpx, .g3, .gcdp, .gfb, .gfie, .ggr, .gif, .gih, .gim, .gmbck, .gmspr, .spr, .scad, .gpd, .gro, .grob, .hdp, .hdr, .hpi, .i3d, .icn, .icon, .icpr, .iiq, .info, .int, .ipx, .itc2, .iwi, .j, .j2c, .j2k, .jas, .jb2, .jbig, .jbig2, .jbmp, .jbr, .jfif, .jia, .jng, .jp2, .jpe, .jpeg, .jpg, .jpg2, .jps, .jpx, .jtf, .jwl, .jxr, .kdc, .kdi, .kdk, .kic, .kpg, .lbm, .ljp, .mac, .mbm, .mef, .mnr, .mos, .mpf, .mpo, .mrxs, .myl, .ncr, .nct, .nlm, .nrw, .oc3, .oc4, .oc5, .oci, .omf, .oplc, .af2, .af3, .ai, .art, .asy, .cdmm, .cdmt, .cdmtz, .cdmz, .cdt, .cgm, .cmx, .cnv, .csy, .cv5, .cvg, .cvi, .cvs, .cvx, .cwt, .cxf, .dcs, .ded, .design, .dhs, .dpp, .drw, .drw, .dxb, .dxf, .egc, .emf, .ep, .eps, .epsf, .fh10, .fh11, .fh3, .fh4, .fh5, .fh6, .fh7, .fh8, .fif, .fig, .fmv, .ft10, .ft11, .ft7, .ft8, .ft9, .ftn, .fxg, .gdraw, .gem, .glox, .gsd, .hpg, .hpgl, .hpl, .idea, .igt, .igx, .imd, .ink, .lmk, .mgcb, .mgmf, .mgmt, .mt9, .mgmx, .mgtx, .mmat, .mat, .otg, .ovp, .ovr, .pcs, .pfd, .pfv, .pl, .plt, .pm, .vrml, .pmg, .pobj, .ps, .psid, .rdl, .scv, .sk1, .sk2, .slddrt, .snagitstamps, .snagstyles, .ssk, .stn, .svf, .svg, .svgz, .sxd, .tlc, .tne, .ufr, .vbr, .vec, .vml, .vsd, .vsdm, .vsdx, .vstm, .stm, .vstx, .wmf, .wpg, .vsm, .vault, .xar, .xmind, .xmmap, .yal, .orf, .ota, .oti, .ozb, .ozj, .ozt, .pal, .pano, .pap, .pbm, .pc1, .pc2, .pc3, .pcd, .pcx, .pdd, .pdn, .pe4, .pe4, .pef, .pfi, .pgf, .pgm, .pi1, .pi2, .pi3, .pic, .pict, .pix, .pjpeg, .pjpg, .pm, .pmg, .png, .pni, .pnm, .pntg, .pop, .pp4, .pp5, .ppm, .prw, .psd, .psdx, .pse, .psp, .pspbrush, .ptg, .ptx, .ptx, .pvr, .px, .pxr, .pz3, .pza, .pzp, .pzs, .z3d, .qmg, .ras, .rcu, .rgb, .rgb, .rgf, .ric, .riff, .rix, .rle, .rli, .rpf, .rri, .rs, .rsb, .rsr, .rw2, .rwl, .s2mv, .sai, .sci, .sct, .sep, .sfc, .sfera, .sfw, .skm, .sld, .sob, .spa, .spe, .sph, .spj, .spp, .sr2, .srw, .ste, .sumo, .sva, .save, .ssfn, .t2b, .tb0, .tbn, .tex, .tfc, .tg4, .thm, .thumb, .tif, .tiff, .tjp, .tm2, .tn, .tpi, .ufo, .uga, .usertile-ms, .vda, .vff, .vpe, .vst, .wb1, .wbc, .wbd, .wbm, .wbmp, .wbz, .wdp, .webp, .wpb, .wpe, .wvl, .x3f, .y, .ysp, .zif, .cdr4, .cdr6, .rtf, .cdrw, .jpeg, .djvu, .pdf, .ddoc, .css, .pptm, .raw, .cpt, .gif, .jpeg, .jpg, .jpe, .jp2, .pcx, .pdn, .png, .psd, .tga, .tiff, .tif, .hdp, .xpm, .ai, .cdr, .ps, .svg, .sai, .wmf, .emf, .ani, .apng, .djv, .flc, .fb2, .fb3, .fli, .mng, .smil, .svg, .mobi, .swf, .html, .xls, .xlsx, .csv, .xlsm, .ods, .xhtm

All of the files that will get encrypted in the process, will receive one and the same extension, which according to researchers is now .BTC. That very same extension has been used by other notable cryptoviruses, which do not seem related. Those viruses are:

The BTCamant ransomware might delete the Shadow volume copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

However, some versions of the ransomware seem to be decryptable as you can see from the image below:


Twitter @qingfro9

Continue to read to find out what kind of ways you could try out to restore your files or a part of them if you do not have the screen in the above screenshot available with your variant of the virus.

Remove BTCamant Ransomware and Restore .BTC Files

If your computer got infected with the BTCamant ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete BTCamant from your computer

Note! Substantial notification about the BTCamant threat: Manual removal of BTCamant requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove BTCamant files and objects
2.Find malicious files created by BTCamant on your PC

Automatically remove BTCamant by downloading an advanced anti-malware program

1. Remove BTCamant with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by BTCamant
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.