BTCWare joins the list of decrypted ransomware

May 24, 2017 19:45 GMT  ·  By

While the world was taken by storm by the WannaCry ransomware, there were other strains out there that were doing quite a bit of damage, including BTC ransomware. Thankfully, however, folks from Avast have come up with a decryption tool which is available for free. 

Paying the ransom for any malware that encrypts the files on your computer should never be done, except in dire cases. After all, every time someone pays, the attackers get the incentive to continue doing what they're doing. Victims of the BTCWare ransomware have a way out, however, as the security researchers from Avast built a free decryption tool.

The BTCWare ransomware began spreading a couple of months ago and thus far five variants have been spotted. You can tell them apart by the extension of the encrypted files: - Foobar2000.docx.[[email protected]].heva - foobar.docx.[[email protected]].cryptobyte - foobar.bmp.[[email protected]].cryptowin - foobar.bmp.[[email protected]].btcware - foobar.docx.onyon.

As Avast's security researchers note, BTCWare has been using the FileName.Extension.[Email].Ext2 scheme of naming files since it was first observed. Recently, a new variant called Onyonware, was discovered and it does not include a contact email address in the file name.

How does BTCWare work?

Once the ransomware infects the computer, it generates a random password which is then used to create the encryption key. The password is then encrypted with a public key and presented as a User ID in the ransom files.

After all files have been encrypted, the ransomware changes the desktop wallpaper with the note and leaves a note in each folder on how to get your files decrypted, threatening that if they don't receive an email within three days, the key will be deleted and the files will no longer be decryptable.

Although a couple of weeks ago the master private key was made public, Avast doesn't use it because it does not work on all variants. Instead, the decryptor they built uses brute force to retrieve the password.