.BTCWare File Virus (Restore Files) - Update May 2017

.BTCWare File Virus (Restore Files)

Article created to help you remove BTCWare virus and restore .btcware encrypted files instead of paying 0.5 BTC to crooks.

A new ransomware virus, related to CrptXXX has been discovered, named BTCWare. The malware encrypts the files on the computers infected by it and makes them no longer able to be opened. After this it drops a ransom note which may lead to further instructions on how to send 0.5 BTC to the Bitcoin address of the cyber-criminals. From there, the virus gives additional instructions on how to type commands to decrypt the corrupted files. In case you have become a victim of BTCWare ransomware, we recommend you to read this article to remove the ransomware virus and try to restore files encrypted by this virus.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .btcware has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by BTCWare


Malware Removal Tool

User ExperienceJoin our forum to Discuss BTCWare.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.BTCWare Ransomware – Update May 2017

Update! A decryption tool is now available for all BTCWare ransomware variants (including .btcware)! The tool was created by the malware researcher Michael Gillespie. You can download the tool and read how to use it from the following article: Decrypt Files Encrypted by BTCWare Ransomware.

BTCWare Ransomware How Does It Infect

Once this ransomware virus is available out in the wild, it begins to spread via multiple different methods. One of those methods is for the cyber-criminals to use a combination of different tools to spread the virus files. One method to utilize infection tools is to conduct massive spam campaigns that spread infection files, pretending to be legitimate e-mail attachments. The attachments are usually contained in an archive and may pretend to be legitimate Windows documents. An example of a spam e-mail carrying a malicious attachment can be seen below:

Another way of spreading this virus is by uploading it on suspicious websites as a fake installer of a free program, like your favorite media player, torrent software or any other freeware. Usually some shady or infected websites upload malicious files as setups of programs.

But infection files can also be uploaded in multiple different forms as well, like uploading them on torrent websites along with cracked games or software.

BTCWare Ransomware – Malicious Activity

Once this virus is activated, one way or another, it begins to connect to a remote host and drop multiple malicious files on the computer of the user. One of those files is an executable, called biznet.exe, located in the %AppData% folder. Besides this file, there may be multiple other files that are malicious. They may be located in the usually used Windows folders:

  • %AppData%
  • %SystemDrive%
  • %Local%
  • %Roaming%
  • %System32%
  • %Startup%

After this, the virus may also drop a ransom note type of file, named _HOW_TO_FIX_!.hta. in this ransom note is the message aiming to notify the user on how to get back the files after the encryption process is complete.

The ransom note, may have or lead to the following instructions:

“If you want to restore files, use this instructions:
1.Run website {Tor-based link here}
2.In login panel, enter your personal ID:
{Unique ID only for the victim PC}
3.Follow next instructions on the website
Do not try to decrypt your data using third-party software, it may cause permanent data loss.”

If the web page is visited, the user may witness the following instructions alongside which is a wallet of the cyber-criminals which is for BTC.

“Recovery files
To decrypt files, you will have to pay 0.5 BTC
1. You should register Blockchain wallet
• LocalBitcoins.com
• Coinmamacom
• Other exchanges
`>Buy bitcoins for your wallet.
3.Send 0.5 BTC to Bitcoin address:
{Cyber-crooks’ wallet}
4.Enter your transaction ID:
5.Press Win+R, type cmd and press Enter
In appeared consoled:
1)Enter cd %appdata%
2)Enter biznet.exe –d your_decrypt_key and wait for decryption
6.Finish. All the files decrypted”

In addition to scaring off the user, the BTCWare virus may also delete any backups and shadow copies on the infected computer by using the vssadmin command:

→ vssadmin.exe delete shadows /all /quiet

In addition to shutting down processes that may interefere with the encryption process, the BTCWare virus may also heavily modify the Run and RunOnce registry sub-keys in the Windows registry editor to make malicious files run on startup. Besides those, other registry sub-keys may be modified too.

BTCWare Virus – The Encryption Process

The file encoding process of BTCWare is supposedly related to CrptXXX ransomware infection and it may employ the very same Advanced Encryption Standard (AES) cipher to render the files no longer openable. Among the files encrypted by BTCWare after it infects your computer, may be the following:

→ .1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip

For the encryption process, BTCWare ransomware may also utilize what is known in the trade as CBC (Cipher Block Chaining) mode which can break the files if a third-party decryptor attemps to decode them.

After the encryption, the files are appended the .btcware file extension and may appear like the following:

After the encryption process has completed, the virus may send the decryption keys via a remote connection to the malicious server of the cyber-criminals.

Remove BTCWare Ransomware and Restore .btcware Encrypted Files

Before attempting any removal and restoration, we strongly urge you to backup the files that have been encrypted by this ransomware infection.

After having done this, we recommend following the instructions below to help you remove the malicious objects of BTCWare. In case you are having difficulties or feel unsure that manual removal can be done, experts advise using an advanced anti-malware program which will automatically delete all files that are associated with this infection.

For the recovery of your encrypted files, we advise using the alternative methods below (2. Restore files encrypted by BTCWare) on copies of the encrypted files. They are not 100% effective but these methods may help recover at least some of your encrypted data.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share