BTCWare, also known as CrptXXX and CryptoByte, targets Windows OS and is distributed manually via Remote Desktop Protocol (RDP) compromise.

Extensions appended to encrypted file names:
.btcware, .cryptobyte, .cryptowin, .[].theva, .onyon, .xfile, .master, .[<bitcoinaddress>], .[].master, .aleta

Ransom note file names:
#_HOW_TO_FIX_!.hta, READ ME.txt, #_HOW_TO_FIX.inf, .!#_DECRYPT_#!.inf, !#_RESTORE_FILES_#!.INF

Email addresses associated with BTCWare:,,,, decrypt

Telegram usernames associated with BTCWare:

Malware executables associated with BTCWare:
mfskskfkls.exe, <ransom>.exe, czsdxxs.exe

Ransom demand:
0.5 Bitcoin

UPDATE 5/16/2017: BTCWare master key was released and the free decryption tool linked below has been updated to include most versions of this variant.

UPDATE 7/5/2017: The free decryption tool provided by Bleeping Computer has been updated to decrypt files from the most recent versions of BTCWare.

  • The Bleeping Computer forums have more information about BTCWare here.
  • Bleeping Computer provides a free decryption tool for BTCWare here. (Note: Files encrypted by the .aleta version of BTCWare may not be able to be decrypted for free at this time.)

Image Source: