State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

BTCWare

NJCCIC Threat Profile

Original Release Date: 2017-05-03

BTCWare, also known as CrptXXX and CryptoByte, targets Windows OS and is distributed manually via Remote Desktop Protocol (RDP) compromise.

Extensions appended to encrypted file names:
.btcware, .cryptobyte, .cryptowin, .[sql772@aol.com].theva, .onyon, .xfile, .master, .[@bitmessage.ch], .[teroda@bigmir.net].master, .aleta, .crypton, .gryphon, .payday

Ransom note file names:
#\HOW_TO_FIX_!.hta, _READ ME.txt, #\HOW_TO_FIX.inf, .!#_DECRYPT_#!.inf, !#_RESTORE_FILES_#!.INF, .HELP.txt, !! RETURN FILES !!.txt_

Email addresses associated with BTCWare:
no.xm@protonmail.ch, yedeksecurty@gmail.com, yedekveri258@gmail.com, lineasupport@protonmail.com, gladius_rectus@aol.com, gladius_rectus@india.com, alekstraza@bigmir.net

Telegram usernames associated with BTCWare:
@decryps

Malware executables associated with BTCWare:
mfskskfkls.exe, .exe, czsdxxs.exe

Ransom demand:
0.5 Bitcoin

UPDATE 5/16/2017: BTCWare master key was released and the free decryption tool linked below has been updated to include most versions of this variant.

UPDATE 7/5/2017: The free decryption tool provided by Bleeping Computer has been updated to decrypt files from the most recent versions of BTCWare.

UPDATE 8/11/2017: A new version of BTCWare, dubbed Gryphon, was spotted in the wild. This version appends .crypton or .gryphon to the names of encrypted files and drops a ransom note named HELP.txt. There is no free decryption tool available for Gryphon at this time.

UPDATE 8/28/2017: A new version of BTCWare, dubbed Nuclear, was discovered appending .[email\address].nuclear_ to the names of encrypted files and dropping a ransom note named HELP.hta. Associated email addresses include black.world@tuta.io. There is no free decryption tool available for Nuclear at this time.

UPDATE 9/22/2017: A new version, dubbed Wyvern, was discovered appending .[email]-id-[id].wyvern to the names of encrypted files and dropping a ransom note named HELP.hta. Associated email addresses include decryptorx@cock.li. There is no free decryption tool available for Wyvern at this time.

UPDATE 12/06/2017: A new version, dubbed Shadow, was discovered appending .[email]-id-id.shadow to the names of encrypted files. Associated email addresses include paydayz@cock.li. There is no free decryption tool available for Shadow at this time.

  • The Bleeping Computer forums have more information about BTCWare here.
  • Bleeping Computer provides a free decryption tool for BTCWare here. (Note: Files encrypted by the .aleta version of BTCWare may not be able to be decrypted for free at this time.)

Join & Subscribe

Never miss an update. Sign up for a no cost membership today! Receive up-to-date content in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.