Where current ransomware typically acts like a business with their own dedicated customer support web site, KeyBTC instead uses a collection of free or open source software to encrypt the infected computer's data and e-mail to communicate with the victim. Previous variants of this infection were targeting Russian speaking countries, but over the last week it has started to target other regions and has changed its ransom note from Russian to English. Once a computer has been infected and its data is encrypted, the only way to recover the files is to pay a ransom to the malware developer who will then send the computer's decryption key.
Read.txt Ransomware Instructions
How files will appear after being encrypted
The encrypted file containing the computer's decryption keys and other assorted information are then stored in the files called File1.bin and File2.bin on the Windows desktop. The ransomware will now display the Read.txt screen shown above, which contains instructions on sending an email to keybtc@inbox_com to find out the ransom amount. These same instructions also tell you to send them File1.bin, File2.bin, and an encrypted file attached to this email. The malware developer can then use their master decryption key to recover the computer's encryption keys from File1.bin and then send back the decrypted copy of the file you sent to prove they can do so.
What makes this ransomware so brilliant is that the malware developer never needs to store the decryptions keys generated on each infected computer. Instead these decryption keys are stored in an encrypted file that stays on the computer. Now the developer only needs to save one master decryption key that only they possess. This master decryption key can then be used to decrypt the computer's encrypted key file once the ransom is paid, which can then be used to decrypt the computer's files.
What makes this ransomware so dangerous is that it is extremely portable and does not have a Command & Control server for the authorities to seize. The developer only has to know one key that can be stored on a USB key and carried around with them. They also can decrypt an infected computer's encryption key file from any computer and send it via email. That means it’s very hard for the authorities to track them and seizing a server used by the developer won't provide any decryption keys for the infected users.
Unfortunately there is currently no way to restore the encrypted files unless they have a backup. This is because the ransomware securely deletes the original files and clears all of the computer's shadow volume copies. Therefore, if you plan on paying the ransom or hope that one day the authorities will retrieve the master decryption key, it is important for you to save the File1.bin and File2.bin files found on the Windows desktop. The File1.bin file contains the computer's encrypted key file and the File2.bin contains other assorted information that may be useful later.
Finally, to prevent installation you can use Symantec's NoScript tool. NoScript.exe will disable the Windows scripting host on the computer so that you are unable to launch JS files like the ones this ransomware uses. This could cause interference with normal programs, so you can always revert the changes with the same tool if necessary.
Symantec's NoScript Tool
As always, since this program operates out of the %Temp% folder, using a tool like CryptoPrevent will also make it so the ransomware cannot be run. We have a special deal on CryptoPrevent here for BC users: 30% off CryptoPrevent and dMaintenance Home Edition from Foolish IT
Advanced Technical Information
- The open source GnuPG program, which is used to encrypt the user's files with PGP/RSA encryption.
- SDelete from Microsoft to delete the user's original files in a way that makes them unrecoverable.
- A Windows command script that executes the commands that encrypt the user's data and leave the ransom note.
- A Ad Clicker Trojan that constantly clicks on ads in the background.
When it has finished encrypting any data files, the script will then encrypt the secring.gpg file that contains the computer's unique encryption and decryption key. These files will be encrypted with a developer’s master public key that is the same for every infected computer and known only by the developer. This makes it so the user cannot decrypt their files using the decryption key stored in the b]secring.gpg[/b] file. It will then create the File1.bin and File2.bin files that contain a list of the encrypted files, the computer's encrypted decryption key, the date they were encrypted, the computer name, and other information and then encrypt these two files with the same master public key.
Master Public Encryption key only known by malware developer
Finally, the ransomware will display the READ.TXT file from the Windows desktop, which contains instructions on sending an email to firstname.lastname@example.org to find out the ransom payment amount and how to make the payment. A screenshot of the READ.TXT file can be seen above. The instructions also state that you need to send the File1.bin (computer's encrypted key file), File2.bin (contains assorted information), and an encrypted file as attachments in the email. The developer will then use their master decryption key to decrypt the computer's secure.gpg file in order to send you back a decrypted copy of the file you sent. This is to prove that they are able to do so.
Once you pay the ransom, the developer will send back the decrypted secure.gpg file and instructions on how to use it to decrypt the computer's files.
Files associated with CoinVault:
%AppData%\Microsoft\Windows\coinvault.exe %Temp%\0.Tu %Temp%\BITC43F.tmp %Temp%\FILE1.BIN %Temp%\FILE2.BIN %Temp%\KEYS\ %Temp%\KEYS\BACKUP_22984-FILE1.BIN %Temp%\KEYS\FILE2.BIN %Temp%\READ.TXT %Temp%\SDELTEMP %Temp%\fBitroIiVU.cmd %Temp%\ntservice.exe %Temp%\qqhVfbJF.keybtc %AppData%\FILE1.BIN %AppData%\FILE2.BIN %Desktop%\FILE1.BIN %Desktop%\FILE2.BIN %Desktop%\READ.TXT %UserProfile%\FILE1.BIN %UserProfile%\FILE2.BINRegistry entries associated with CoinVault:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinHelp %Temp%\READ.TXT HKCU\Software\Sysinternals\SDelete