BTCWare

BTCWare, also known as CrptXXX and CryptoByte, targets Windows OS and is distributed manually via Remote Desktop Protocol (RDP) compromise.

Extensions appended to encrypted file names:
.btcware, .cryptobyte, .cryptowin, .[sql772@aol.com].theva, .onyon, .xfile, .master, .[<bitcoinaddress>@bitmessage.ch], .[teroda@bigmir.net].master, .aleta, .crypton, .gryphon, .payday

Ransom note file names:
#_HOW_TO_FIX_!.hta, READ ME.txt, #_HOW_TO_FIX.inf, .!#_DECRYPT_#!.inf, !#_RESTORE_FILES_#!.INF, .HELP.txt, !! RETURN FILES !!.txt

Email addresses associated with BTCWare:
no.xm@protonmail.ch, yedeksecurty@gmail.com, yedekveri258@gmail.com, lineasupport@protonmail.com, gladius_rectus@aol.com, gladius_rectus@india.com, alekstraza@bigmir.net

Telegram usernames associated with BTCWare:
@decryps

Malware executables associated with BTCWare:
mfskskfkls.exe, <ransom>.exe, czsdxxs.exe

Ransom demand:
0.5 Bitcoin

UPDATE 5/16/2017: BTCWare master key was released and the free decryption tool linked below has been updated to include most versions of this variant.

UPDATE 7/5/2017: The free decryption tool provided by Bleeping Computer has been updated to decrypt files from the most recent versions of BTCWare.

UPDATE 8/11/2017: A new version of BTCWare, dubbed Gryphon, was spotted in the wild. This version appends .crypton or .gryphon to the names of encrypted files and drops a ransom note named HELP.txt. There is no free decryption tool available for Gryphon at this time.

UPDATE 8/28/2017: A new version of BTCWare, dubbed Nuclear, was discovered appending .[email_address].nuclear to the names of encrypted files and dropping a ransom note named HELP.hta. Associated email addresses include black.world@tuta.io. There is no free decryption tool available for Nuclear at this time.

UPDATE 9/22/2017: A new version, dubbed Wyvern, was discovered appending .[email]-id-[id].wyvern to the names of encrypted files and dropping a ransom note named HELP.hta. Associated email addresses include decryptorx@cock.li. There is no free decryption tool available for Wyvern at this time.

UPDATE 12/06/2017: A new version, dubbed Shadow, was discovered appending .[email]-id-id.shadow to the names of encrypted files. Associated email addresses include paydayz@cock.li. There is no free decryption tool available for Shadow at this time.

The Bleeping Computer forums have more information about BTCWare here.
Bleeping Computer provides a free decryption tool for BTCWare here. (Note: Files encrypted by the .aleta version of BTCWare may not be able to be decrypted for free at this time.)

Image Source: PCrisk.com

Ransomware VariantsNJCCICMay 3, 2017BTCWare, CrptXXX, CryptoByte

BTCWare

NJ CYBERSECURITY & COMMUNICATIONS INTEGRATION CELL

PO Box 091

Trenton, NJ 08625

CONTACT US

Email: njccic@cyber.nj.gov

Phone: 1-833-4-NJCCIC (1-833-465-2242)