An article created to show you how to remove the .MASTER file virus (BTCWare’s latest variant) and restore files that have been AES encrypted by this virus.
A ransomware infection, known to be the notorious BTCWare ransomware has been released as a new variant of the virus family. Unlike the other BTCWare versions, the .master iteration cannot be decrypted so far and uses an AES encryption algorithm to extort victims whose computers have been infected. The victims have to pay a hefty ransom fee in order to get their files decrypted by the ones behind the .master ransomware infection. In case your computer has been infected by this virus, we advise you to read this article thoroughly.
Threat Summary
| Name | .master Ransomware |
| Type | Ransomware, Cryptovirus |
| Short Description | Encrypts the files on the infected computer using AES algorithm. Demands ransom payoff in BitCoin. The ransom varies. |
| Symptoms | The files are encrypted with the .master file extension added to them. The virus drops a ransom note, named !#_RESTORE_FILES_#!.inf. |
| Distribution Method | Spam Emails, Email Attachments, Executable files |
| Detection Tool | See If Your System Has Been Affected by .master Ransomware Download Malware Removal Tool | User Experience | Join Our Forum to Discuss .master Ransomware. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
Update July 2017 A new version of BTCWare ransomware has come out into the wild. The virus uses a new malicious file extension, called .aleta which i adds to the encrypted files. Malware eresearchers believe it is spread via malicious spam e-mails carrying documents that contain malicious macros within them. Furthermore, researcher Michael Gillespie notified of a decrypter being released for the .MASTER BTCWare variant. You can now decrypt your files for free if you have saved them.
.master Ransomware Distribution Methods
Since the Master ransomware as many refer to it with this name is a variant of the BTCWareransomware, it may use the same methods to be spread and infect victims. The primary strategy of those methods is to send a massive spam campaign with e-mails that aim for one thing only – to convince unsuspecting users that the situation is critical and they must either click on an e-mail attachment or open a web link that may eventually lead to infection. To do this, Master ransomware may pretend to be a large organization, such as:
- Amazon
- PayPal
- FedEx
- DHL
- eBay
- Other
The messages usually have deceptive content, also known as “social engineering”. They may claim that there is an order awaiting confirmation or any other form invoices or important documents. Then, the user may be misled to click on the malicious e-mail.
BTCWare .master Ransomware – Analysis
After the infection file of the .master ransomware variant is opened, the virus begins to drop it’s payload. This happens by either extracting the payload onto the infected computer or simply connecting to a remote server hosted by the cyber-criminals and download it from there. After this has been done, the malicious files of Master ransomware are then dropped onto the computer of the user and may reside in the following locations:
- %AppData%
- %Roaming%
- %Local%
- %LocalLow%
- %Temp%
Those files include the ransom note of .master ransomware which is named !#RESTORE_FILES_#!.inf. It has the following content:
The .master ransomware virus may begin to modify multiple different Windows processes on the compromised computer system. This is done with the purpose of changing crucial settings on the infected computer, like deleting the backups and shadow volume copies by using the following Windows Command Prompt commands:
→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
.master Ransomware’s Encryption Process
For the encryption process of the BTCWare .master ransomware variant to succeed, the virus uses a patched AES encryption algorithm. If applied properly, it is very difficult to decrypt the encrypted files by this virus. The files that the .master ransomware looks for to encrypt on infected computers are usually the following:
→ .1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip
After the .master ransomware has already encrypted the files, the virus then displays the files with the .master file extension after their name, for example:
It is believed that the cyber-criminals behind the .master virus have chosen this file extension in particular, because all of the previous variants of BTCWare have already been decrypted using a master decryption key which malware researchers uncovered earlier. And by doing this, the cyber-criminals might aim to mock those researchers.
Remove BTCWare and Restore .master Encrypted Files
Before removing BTCWare .master variant, it is important to backup the encrypted files beforehand.
Then, you can proceed with the removal of the virus. For it to succeed, we advise following the removal instructions underneath. They are specifically designed to help you in isolating the threat and removing all related objects to .master ransomware. In case you lack the experience to remove this virus manually, cybersec experts often advise to use and advanced anti-malware program which will automatically take care of the removal process for you.
In case you are looking for a method to restore your encrypted files, we urge you to do It by trying the alternative method for file recovery below. They are specifically designed to help you recover at least some of the encrypted files. You can find them in step “2. Restore files encrypted by .master Ransomware”.
Manually delete .master Ransomware from your Mac
Remove a toolbar from Mozilla Firefox
Remove a toolbar from Google Chrome
Remove an extension from Safari and reset it.
Automatically remove .master Ransomware from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as .master Ransomware, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
