A ransomware virus themed on the number one cryptocurrency BitCoin has been reported to encrypt the files on it’s victims computers and wreak havoc on a massive scale. The malware may employ encryption to render the important files on the computers it infects no longer usable. Not only this, but the BTC virus also adds a very specific file extension – .BTC. What is also characteristic is that the BTC ransomware also drops a ransom note asking to contact [email protected] or [email protected] to pay the ransom fee, suggesting it is a US-created virus.
|Short Description||The BTC Ransomware virus encrypts files related primarily to widely used file types and leaves a ransom note asking to contact an e-mail for payment instructions for their “release”.|
|Symptoms||The user witnesses all of his files encrypted with an added .BTC file extension to them and renders them no longer openable. A file, named “idr__btc_decrypt_files.txt” is dropped.|
|Detection Tool||See If Your System Has Been Affected by BTC Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does BTC Ransomware Replicate
In order to be widespread, BTC ransomware uses spamming software to send out two types of malicious objects:
- Web links.
- Malicious files.
The web links and the files both may be sent via e-mail spam that resembles different messages, like a notification claiming the user has purchased a product or similar, social engineering the malware’s way to users’ computers. The malicious files may also be posted on torrent websites under the disguise of being key generators for activating unlicensed programs or even cracks for games. Malicious web links may be spread differently. They may be posted via spam bots, like Ghost Referrers or similar.
More About BTC Ransomware
After the user has been infected with BTC ransomware, the ransomware may drop it’s malicious files in the following key Windows folders:
- %User’s Profile%
After the malicious files are dropped the virus may directly begin to encrypt important files. It has been reported tha the BTC ransomware may primarily attack all of the important files except the ones in it’s exclusion list, which could most likely prevent Windows from functioning. These folders are:
- %Program Files%
Other than that, the virus may encipher all of the other important files on the infected computer, such as:
- Files associated with often used programs.
- Audio files.
- Microsoft Office and Adobe documents.
After encryption, the BTC ransomware “respectively” adds it’s distinctive .BTC file extension to them and renders them no longer openable and looking like the following:
The virus then drops it’s ransom note, going by the name “idr__btc_decrypt_files.txt”. It’s contents are the following:
After the ransom note is dropped the BTC ransomware may self-delete the private decryption key and the encryption modules it uses to encipher data to prevent malware researchers from “having a peek”.
BTC Ransomware – Conclusion, Removal and File Restoration
There is not a lot of research to suggest that BTC ransomware is a virus that is a standalone, suggesting it may also be a part of a massive RaaS scheme. Whatever the case may be, if your computer has become a victim of BTC, we advise you to follow expert’s advice and use instructions like the ones after this article to remove all of the BTC related files. For maximum effectiveness, malware researchers also advise users to remove the malware using an advanced anti-malware program which will also ensure protection in the future.
Unfortunately, regarding file decryption, researchers have not yet developed a free decryption tool. The good news, however are that you can try some alternative methods which we kindly provided in step “2. Restore files encrypted by BTC” below. Bear in mind that they are not tested on BTC ransomware and may or may not work for you, so you should also use the information in the instructions below to backup your files before trying them.