An old ransomware seems to have emerged once again. KeyBTC is the name of this ransomware as it appends the extension [email protected]_com to encrypted files. To remove the ransomware and see if you can restore your files, you should carefully read this article throughout.
|Short Description||The ransomware encrypts files with RSA/PGP algorithms and asks for payment via email.|
|Symptoms||Specific file types are encrypted. Two files are created on the user’s desktop – File1.bin and File2.bin along with a .txt file with instructions for paying the ransom.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by KeyBTC |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss KeyBTC.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
KeyBTC Ransomware – Distribution Ways
It is unknown if exploit kits or social media are used to further help in the distribution of this ransomware, but it is a possibility. File sharing services might contain such files as well. If something looks suspicious and you are not one hundred percent sure of its origin, do not open it. At least that is the general rule of thumb.
KeyBTC Ransomware – Description
The KeyBTC malware is a known ransomware. The legend goes that it used to target only Russian speaking countries. Alas, in late 2014 it began infecting users worldwide. Still spiraling to this day, it is not one of the most dangerous ransomware types, but it is quite effective. KeyBTC nowadays might have evolved and try making entries in the Windows Registry as other ransomware. This maneuver is done to keep malware’s persistence while loading with each boot of the Windows OS.
What makes this ransomware effective and still viable to this day is that it encrypts important files, which are still the most popular types of files used to store personal information. Another thing is that everything but the public encryption key is not sent anywhere and only known by the malware maker.
KeyBTC will put all encrypted files inside two other files which are stored in the user’s computer. They are given these simple names:
A third file is created, containing the ransomware instructions. The file is named READ with capital letters. You can see its contents here:
The instructions state:
All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. If you want to restore your files please follow the instructions:
1. Send email to [email protected]_inbox.com, with the following files in attachment:
– FILE1.BIN and FILE2.BIN files (check your desktop and local disks to find these files or just use Windows Search.
– One of your encrypted personal file for test decryption. Supported types: DOC/DOCX, JPG/JPEG, PDF. Maximum file size: 3 Mb.
2. Wait for email from us containing:
– Your decrypted file, proving that we can really help you.
– Decryption price and payment details.
3. Make payment.
4. Receive decryption key and detailed instructions how to decrypt your files.
– You must contact us in 24 hours, unless the price will rise.
– Nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
– Your files will be decrypted as quick as you contact us and make payment.
If you have any question, please feel free to ask.
Contact email: [email protected]_inbox.com
Paying up is strongly unadvised. You might be unable to unlock your files in the end, but also, might not be contacted back by the cyber crooks at all. That could serve as an inspiration to them to make the ransomware tougher.
The KeyBTC ransomware is really specific as it scans infected computers for only 17 file types. Nonetheless, they are still the most widely used file types used by Windows users on a global scale. The encryption is a combination of PGP and RSA using open source and free software to achieve it. For the time being, this is the known list of extensions which are encrypted:
→.pdf, .rtf, .accdb, .slddrw, .zip, .rar, .max, .jpg, .mdb, .xls, .xlsx, .doc, .docx, .cdr, .dwg, .1cd, .cd
After the encryption, all files have the extension [email protected]_com, which is also the email you are instructed to contact the ransomware creators. Shadow Volume Copies might not be of much use here, as files are not only encrypted but put into the .bin files mentioned earlier and not deleted as other ransomware types tend to do.
Remove KeyBTC Ransomware and Restore [email protected]_com Encrypted Files
If your PC is infected by the KeyBTC ransomware, you should have a bit experience with removing malware. You should consider removing the malware as it might reach other files if you connect to a network or an external storage device. The recommended course of action is for you to remove the ransomware by following the step-by-step instructions provided down here.