.MASTER File Virus – Remove BTCWare and Restore Data - How to, Technology and PC Security Forum | SensorsTechForum.com

.MASTER File Virus – Remove BTCWare and Restore Data

This article has been created to help you remove the latest BTCWare ransomware from your computer and show how to restore .master encrypted files.

A new version of the notorious BTCWare ransomware has appeared in the wild. The ransomware virus aims to append AES encryption on the important files in the computers infected by it, making the files no longer able to be opened. Then the latest .master BTCWare ransomware variant demands victims to pay a hefty ransom fee in order to get back the encrypted files. In case your computer has been infected by this ransomware variant, we strongly urge you to read this article thoroughly.

Threat Summary

Name.master BTCWare
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer using AES algorithm. Demands ransom payoff in BitCoin. The ransom varies.
SymptomsThe files are encrypted with the .master file extension added to them. The virus drops a ransom note, named !#_RESTORE_FILES_#!.inf.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .master BTCWare


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .master BTCWare.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.master File Virus Distribution Methods

The .master variant of BTCWare is spread in methods that are approximate to all the other variants of this virus. Given that BTCWare is an evolved CryptXXX ransomware varuses, the .master ransomware may also utilize methods of distribution which are similar to it as well. The primary and most often encountered method of infection is via different e-mail spam campaigns. The spam messages aim to deceive the user that they are from legitimate companies such as:

  • Amazon.com
  • eBay.com
  • PayPal.com
  • FedEx.
  • DHL.

The e-mail messages may contain deceptive statements int hem such as:

“Dear Customer, Greetings from Amazon.com
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please open the order invoice attached.
Your order number: #241-24244152-12412312441”

Along the e-mail there may either be a web link that may lead to the infection or the malicious infection file itself may be embedded.

Besides this method of infection, there are also multiple other approaches for distribution of the .master file ransomware, despite them being less likely. These are via a fake updates, fake setups, key generators, game cracks or license activators uploaded on suspicious sites.

BTCWare .master Virus – Analysis

After the user PC is infected with the loader infection file, the BTCWare ransomware may drop more than one malicious files on the infected computer. The files may be a main executable which encrypts the files adding the .master file extension and multiple support files that ensure the virus has administrative privileges and the settings on it are modified so that the encryption is uninterrupted. The malicious files may be dropped in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

Among the files is the ransom note of BTCWare .master variant, named !#_RESTORE_FILES_#!.inf which has the following message to victims:

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem
If you want to restore them. write us to the e-mail: BM-NBMlDiESngzuunchijMjPEcv4qur@bi
or makedonskiy@gmx.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
[FREE DECRYPTION As GUARANTEE] Before paying you can send to us up to 3 files for free decryption.
P1ease note that files must NOT contain valuable information
and their total size must be less than 1Mb
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the se11er
by payment met od and price
[ATTENTION] Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data 105
If you not write on e-mail in 36 hours – your key has been deleted and you cant decrypt you
Your ID:

In addition to this, modules of the virus may have functions in them that allow them to perform malicious activities. These functions may give the .master file virus administrative permissions that allow It to perform different activities. One of those may be to delete the shadow volume copies on the infected computer via the administrative vssadmin command in Windows Command Prompt:

→ vssadmin.exe delete shadows /all /quiet

Other activity of the .master file virus may include to tamper with the Windows Registry Editor, more specifically, create custom value strings with data in them to run it’s malicious executables on startup. The usually targeted registry sub-keys for this to happen are:

  • Run
  • RunOnce

.master Ransomware’s Encryption Process

In order to encrypt files on the computers it has already infected, the .master BTCWare variant uses an AES encryption algorithm. However, this encryption is different in comparison to the other BTCWare variants, because it has been patched and created to be significantly more difficult to decrypt. This variant of BTCWare may scan for and encrypt files with the following file extensions:

→ .1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip

After it completes encrypting files, the .master BTCWare virus adds it’s distinctive file extension to the encrypted files, making them look like the following:

After the files belonging to this ransomware virus have been encrypted, it may also connect to a remote server of the cyber-criminals and send information from the user’s computer, like decryption keys plus the IP address or other data.

Remove BTCWare and Restore .master Encrypted Files

Before actually removing this virus, we advise you to backup the .master encrypted files on another drive, just in case.

After having done this, you can follow the removal instructions below to safely remove BTCWare .master ransomware from your computer. In case you are having difficulties in removing this ransomware manually, security experts strongly advise to use an advanced anti-malware tool for the automatic removal.

Regarding the decryption of the files, unlike the other variants of BTCWare that are decryptable, unfortunately, this variant is not. But we suggest you to check this article often as we will monitor the situation and provide an update, if free decryption is possible. In the meantime, you might want to try and use the methods for restoring files that are alternative to direct decryption. They are in step “2. Restore files encrypted by .master BTCWare”


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

1 Comment

  1. AvatarJorge Noguera

    no funciona


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share