BTCamant Ransomware – Remove and Restore .BTC Files
THREAT REMOVAL

BTCamant Ransomware – Remove and Restore .BTC Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by BTCamant and other threats.
Threats such as BTCamant may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article will help you remove BTCamant ransomware in full. Follow the ransomware removal instructions provided at the end of the article.

BTCamant ransomware is a cryptovirus which is a variant of Radamant, according to researchers. All of your files will become encrypted and get the extension .BTC appended to them after the encryption process is finished. Next, the BTCamant ransomware will display a ransom note in a directory with encrypted files. Read on to see how you could try to restore some of your files.

Threat Summary

NameBTCamant
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer and puts a ransom note afterward in a directory with encrypted files.
SymptomsThe ransomware will encrypt your files and append the .BTC extension on each one of those files when the encryption is set and done.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by BTCamant

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BTCamant.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BTCamant Ransomware – Distribution

BTCamant ransomware might be distributed by using various methods. The payload file which executes the malicious script for the ransomware that ends up infecting your computer machine has been seen in the wild. You could preview how many detections it has from the screenshot down here, taken from the VirusTotal service:

The BTCamant ransomware can also be using social media sites and file-share networks for further distributing that payload file. Programs which are freeware could be advertised on the Internet as useful, but also might hide the malicious script of this cryptovirus. Refrain from immediately opening files when you have downloaded them. Even more so, if they are from suspicious links, emails and other sources. Instead, you should commence a scan of the files. Run some security application and scan them, while also checking for anything unusual about their size or signatures. You might want to give a read to the ransomware prevention tips topic that is in the designated forum section.

BTCamant Ransomware – Description

The BTCamant ransomware is a cryptovirus. A recent sample of the ransomware was discovered by the malware researcher Karsten Hahn. He and more researchers state that the virus is a variant of the Radamant ransomware.

BTCamant ransomware can make Windows Registry entry for achieving a higher level of persistence. Those registry entries are designed in such a way to launch the cryptovirus automatically with every single start of the Windows operating system.

The ransom note will be put inside a directory with encrypted files once that encryption process is complete. The note with the demands of the cybercriminals, such as the ransom price, and other instructions or demands for decrypting your files is located in these files:

  • BTC_DECRYPT_FILES.html
  • BTC_DECRYPT_FILES.txt

That ransom note’s message might have variations of the message, but the newer one states the following:

Hello!
For getting back Your PC data You need to contact with us through email as soon as possible: [email protected] , [email protected]

That note may differ with other samples of the ransomware. For example, here is another one, which is older:

All your files on hard drives, removable media and network shares have been cryptographically encrypted.
Expansion of encrypted files: .BTC [other extensions might be provided]

To date, the encryption algorithm is not possible to decrypt.
Learn more about the algorithm can be here: Wikipedia

The crooks who spread the BTCamant ransomware should NOT in any circumstance be contacted or paid. By paying, you do not guarantee the recovery of your files, and also, nothing else can give you that guarantee. Your files may not get restored to their previous state. Moreover, funding the criminal activity of those cybercriminals will be like supporting them and encouraging them to do similar evil deeds.

Down here you can see a list of extensions which the Radamant virus searched to encrypt and is believed that the same list is also used by the BTCamant ransomware.

→.1cd, .dbf, .dt, .cf, .cfu, .mxl, .epf, .kdbx, .erf, .vrp, .grs, .geo, .st, .pff, .mft, .efd, .3dm, .3ds, .rib, .ma, .sldasm, .sldprt, .max, .blend, .lwo, .lws, .m3d, .mb, .obj, .x, .x3d, .movie.byu, .c4d, .fbx, .dgn, .dwg, .4db, .4dl, .4mp, .abs, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adn, .a3d, .adp, .aft, .ahd, .alf, .ask, .awdb, .azz, .bdb, .bib, .bnd, .bok, .btr, .bak, .backup, .cdb, .ckp, .clkw, .cma, .crd, .dacpac, .dad, .dadiagrams, .daf, .daschema, .db, .db-shm, .db-wal, .db2, .db3, .dbc, .dbk, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .df1, .dmo, .dnc, .dp1, .dqy, .dsk, .dsn, .dta, .dtsx, .dxl, .eco, .ecx, .edb, .emd, .eql, .fcd, .fdb, .fic, .fid, .fil, .fm5, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .fpt, .fzb, .fzv, .gdb, .gwi, .hdb, .his, .ib, .idc, .ihx, .itdb, .itw, .jtx, .kdb, .lgc, .maq, .mdb, .mdbhtml, .mdf, .mdn, .mdt, .mrg, .mud, .mwb, .s3m, .myd, .ndf, .ns2, .ns3, .ns4, .nsf, .nsf, .nv2, .nyf, .oce, .odb, .oqy, .ora, .orx, .owc, .owg, .oyx, .p96, .p97, .pan, .pdb, .pdb, .pdb, .pdm, .phm, .pnz, .pth, .pwa, .qpx, .qry, .qvd, .rctd, .rdb, .rpd, .rsd, .sbf, .sdb, .sdb, .sdb, .sdf, .spq, .sqb, .stp, .sql, .sqlite, .sqlite3, .sqlitedb, .str, .tcx, .tdt, .te, .teacher, .tmd, .trm, .udb, .usr, .v12, .vdb, .vpd, .wdb, .wmdb, .xdb, .xld, .xlgc, .zdb, .zdc, .cdr, .cdr3, .ppt, .pptx, .1st, .abw, .act, .aim, .ans, .apt, .asc, .ascii, .ase, .aty, .awp, .awt, .aww, .bad, .bbs, .bdp, .bdr, .bean, .bib, .bna, .boc, .btd, .bzabw, .chart, .chord, .cnm, .crd, .crwl, .cyi, .dca, .dgs, .diz, .dne, .doc, .doc, .docm, .docx, .docxml, .docz, .dot, .dotm, .dotx, .dsv, .dvi, .dx, .eio, .eit, .email, .emlx, .epp, .err, .err, .etf, .etx, .euc, .fadein, .faq, .fb2, .fbl, .fcf, .fdf, .fdr, .fds, .fdt, .fdx, .fdxt, .fes, .fft, .flr, .fodt, .fountain, .gtp, .frt, .fwdn, .fxc, .gdoc, .gio, .gio, .gpn, .gsd, .gthr, .gv, .hbk, .hht, .hs, .htc, .hwp, .hz, .idx, .iil, .ipf, .jarvis, .jis, .joe, .jp1, .jrtf, .kes, .klg, .klg, .knt, .kon, .kwd, .latex, .lbt, .lis, .lit, .lnt, .lp2, .lrc, .lst, .lst, .ltr, .ltx, .lue, .luf, .lwp, .lxfml, .lyt, .lyx, .man, .map, .mbox, .md5txt, .me, .mell, .min, .mnt, .msg, .mwp, .nfo, .njx, .notes, .now, .nwctxt, .nzb, .ocr, .odm, .odo, .odt, .ofl, .oft, .openbsd, .ort, .ott, .p7s, .pages, .pfs, .pfx, .pjt, .plantuml, .prt, .psw, .pu, .pvj, .pvm, .pwi, .pwr, .qdl, .rad, .readme, .rft, .ris, .rng, .rpt, .rst, .rt, .rtd, .rtf, .rtx, .run, .rzk, .rzn, .saf, .safetext, .sam, .scc, .scm, .scriv, .scrivx, .sct, .scw, .sdm, .sdoc, .sdw, .sgm, .sig, .skcard, .sla, .slagz, .sls, .smf, .sms, .ssa, .strings, .stw, .sty, .sub, .sxg, .sxw, .tab, .tdf, .tdf, .tex, .text, .thp, .tlb, .tm, .tmd, .tmv, .tmx, .tpc, .trelby, .tvj, .txt, .u3d, .u3i, .unauth, .unx, .uof, .uot, .upd, .utf8, .unity, .utxt, .vct, .vnt, .vw, .wbk, .wbk, .wcf, .webdoc, .wgz, .wn, .wp, .wp4, .wp5, .wp6, .wp7, .wpa, .wpd, .wpd, .wpl, .wps, .wps, .wpt, .wpw, .wri, .wsc, .wsd, .wsh, .wtx, .xbdoc, .xbplate, .xdl, .xdl, .xlf, .xps, .xwp, .xwp, .xwp, .xy3, .xyp, .xyw, .ybk, .yml, .zabw, .zw, .2bp, .0,36, .3fr, .0,411, .73i, .8xi, .9png, .abm, .afx, .agif, .agp, .aic, .albm, .apd, .apm, .apng, .aps, .apx, .art, .artwork, .arw, .arw, .asw, .avatar, .bay, .blkrt, .bm2, .bmp, .bmx, .bmz, .brk, .brn, .brt, .bss, .bti, .c4, .cal, .cals, .can, .cd5, .cdc, .cdg, .cimg, .cin, .cit, .colz, .cpc, .cpd, .cpg, .cps, .cpx, .cr2, .ct, .dc2, .dcr, .dds, .dgt, .dib, .dicom, .djv, .djvu, .dm3, .dmi, .vue, .dpx, .wire, .drz, .dt2, .dtw, .dvl, .ecw, .eip, .erf, .exr, .fal, .fax, .fil, .fpos, .fpx, .g3, .gcdp, .gfb, .gfie, .ggr, .gif, .gih, .gim, .gmbck, .gmspr, .spr, .scad, .gpd, .gro, .grob, .hdp, .hdr, .hpi, .i3d, .icn, .icon, .icpr, .iiq, .info, .int, .ipx, .itc2, .iwi, .j, .j2c, .j2k, .jas, .jb2, .jbig, .jbig2, .jbmp, .jbr, .jfif, .jia, .jng, .jp2, .jpe, .jpeg, .jpg, .jpg2, .jps, .jpx, .jtf, .jwl, .jxr, .kdc, .kdi, .kdk, .kic, .kpg, .lbm, .ljp, .mac, .mbm, .mef, .mnr, .mos, .mpf, .mpo, .mrxs, .myl, .ncr, .nct, .nlm, .nrw, .oc3, .oc4, .oc5, .oci, .omf, .oplc, .af2, .af3, .ai, .art, .asy, .cdmm, .cdmt, .cdmtz, .cdmz, .cdt, .cgm, .cmx, .cnv, .csy, .cv5, .cvg, .cvi, .cvs, .cvx, .cwt, .cxf, .dcs, .ded, .design, .dhs, .dpp, .drw, .drw, .dxb, .dxf, .egc, .emf, .ep, .eps, .epsf, .fh10, .fh11, .fh3, .fh4, .fh5, .fh6, .fh7, .fh8, .fif, .fig, .fmv, .ft10, .ft11, .ft7, .ft8, .ft9, .ftn, .fxg, .gdraw, .gem, .glox, .gsd, .hpg, .hpgl, .hpl, .idea, .igt, .igx, .imd, .ink, .lmk, .mgcb, .mgmf, .mgmt, .mt9, .mgmx, .mgtx, .mmat, .mat, .otg, .ovp, .ovr, .pcs, .pfd, .pfv, .pl, .plt, .pm, .vrml, .pmg, .pobj, .ps, .psid, .rdl, .scv, .sk1, .sk2, .slddrt, .snagitstamps, .snagstyles, .ssk, .stn, .svf, .svg, .svgz, .sxd, .tlc, .tne, .ufr, .vbr, .vec, .vml, .vsd, .vsdm, .vsdx, .vstm, .stm, .vstx, .wmf, .wpg, .vsm, .vault, .xar, .xmind, .xmmap, .yal, .orf, .ota, .oti, .ozb, .ozj, .ozt, .pal, .pano, .pap, .pbm, .pc1, .pc2, .pc3, .pcd, .pcx, .pdd, .pdn, .pe4, .pe4, .pef, .pfi, .pgf, .pgm, .pi1, .pi2, .pi3, .pic, .pict, .pix, .pjpeg, .pjpg, .pm, .pmg, .png, .pni, .pnm, .pntg, .pop, .pp4, .pp5, .ppm, .prw, .psd, .psdx, .pse, .psp, .pspbrush, .ptg, .ptx, .ptx, .pvr, .px, .pxr, .pz3, .pza, .pzp, .pzs, .z3d, .qmg, .ras, .rcu, .rgb, .rgb, .rgf, .ric, .riff, .rix, .rle, .rli, .rpf, .rri, .rs, .rsb, .rsr, .rw2, .rwl, .s2mv, .sai, .sci, .sct, .sep, .sfc, .sfera, .sfw, .skm, .sld, .sob, .spa, .spe, .sph, .spj, .spp, .sr2, .srw, .ste, .sumo, .sva, .save, .ssfn, .t2b, .tb0, .tbn, .tex, .tfc, .tg4, .thm, .thumb, .tif, .tiff, .tjp, .tm2, .tn, .tpi, .ufo, .uga, .usertile-ms, .vda, .vff, .vpe, .vst, .wb1, .wbc, .wbd, .wbm, .wbmp, .wbz, .wdp, .webp, .wpb, .wpe, .wvl, .x3f, .y, .ysp, .zif, .cdr4, .cdr6, .rtf, .cdrw, .jpeg, .djvu, .pdf, .ddoc, .css, .pptm, .raw, .cpt, .gif, .jpeg, .jpg, .jpe, .jp2, .pcx, .pdn, .png, .psd, .tga, .tiff, .tif, .hdp, .xpm, .ai, .cdr, .ps, .svg, .sai, .wmf, .emf, .ani, .apng, .djv, .flc, .fb2, .fb3, .fli, .mng, .smil, .svg, .mobi, .swf, .html, .xls, .xlsx, .csv, .xlsm, .ods, .xhtm

All of the files that will get encrypted in the process, will receive one and the same extension, which according to researchers is now .BTC. That very same extension has been used by other notable cryptoviruses, which do not seem related. Those viruses are:

The BTCamant ransomware might delete the Shadow volume copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

However, some versions of the ransomware seem to be decryptable as you can see from the image below:


Twitter @qingfro9

Continue to read to find out what kind of ways you could try out to restore your files or a part of them if you do not have the screen in the above screenshot available with your variant of the virus.

Remove BTCamant Ransomware and Restore .BTC Files

If your computer got infected with the BTCamant ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Note! Your computer system may be affected by BTCamant and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as BTCamant.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove BTCamant follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove BTCamant files and objects
2. Find files created by BTCamant on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by BTCamant

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...