Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BitCryptor ransomware in the wild from the same creators as CoinVault


  • Please log in to reply
34 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:23 AM

Posted 12 May 2015 - 04:36 PM

Introducing BitCryptor, another new encrypting ransomware from the creators of CoinVault. BitCryptor is essentially the same exact infection as CoinVault other than a user interface change. This ransomware encrypts your files using AES 256 encryption and demands 1 bitcoin in order to decrypt your files. At this time there is no way to decrypt your files for free. Unfortunately, the Kaspersky site for CoinVault keys will not work with this infection.

 

bitcryptor.jpg



When BitCryptor is first started it will delete all shadow volume copies on the computer so that you are unable to restore your files from them. It will then set the Windows wallpaper to %Temp%\wallpaper.jpg and begin encrypting your files. When BitCryptor encrypts your files it will do so using certain rules. These are:
  • BitCryptor will not encrypt any files found in the program files,appdata,programdata,boot,windows,winnt,recycle.bin,downloads,all users, or temp folders.
  • It will encrypt all files regardless of the extension if the folder contains the pictures or backup strings.
  • Otherwise it will encrypt any files that match the following extensions: .odt,.ods,.odp,.odm,.odc,.odb,.doc,.docx,.docm,.wps,.xls,.xlsx,.xlsm,.xlsb,.xlk,.ppt,.pptx,.pptm,.mdb,.accdb,.pst,.dwg,.dxf,.dxg,.wpd,.rtf,.wb2,.mdf,.dbf,.psd,.pdd,.pdf,.eps,.ai,.indd,.cdr,.dng,.3fr,.arw,.srf,.sr2,.mp3,.bay,.crw,.cr2,.dcr,.kdc,.erf,.mef,.mrw,.nef,.nrw,.orf,.raf,.raw,.rwl,.rw2,.r3d,.ptx,.pef,.srw,.x3f,.der,.cer,.crt,.pem,.pfx,.p12,.p7b,.p7c,.jpg,.png,.jfif,.jpeg,.gif,.bmp,.exif,.txt,.tc,.mov,.mp4,.rar,.zip,.iso,.vsdx,.3ds, and .c4d
Furthermore, while Bitcryptor is running it will terminate any process that contains the following keywords:
 
shadow,cmd,processhacker,mbam,sh4,spyhunter,msconfig,taskmgr,roguekiller,rstrui,regedit,procexp
As always we suggest you practice good computer safety to protect your computer from being infected with this ransomware. This means only open attachments that you are expecting and make sure you keep all your programs and Windows updated.

We also suggest a behavior detection program such as CryptoMonitor and HitmanPro: Alert. CryptoMonitor was able to prevent this infection without any updates and I am sure HitmanPro: Alert will be able to do soon, if not already.

If any new information is released on this ransomware, we will be sure to post about it here.


Known BitCryptor Files:
%Temp%\BitCryptorFileList.txt
%Temp%\wallpaper.jpg
%UserProfile%\filelist.locklst
%UserProfile%\sfile
Known BitCryptor Ransomware Registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BitC	"%UserProfile%\bclock.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*BitC	"%UserProfile%\bclock.exe"
HKCU\Control Panel\Desktop\Wallpaper	"%Temp%\wallpaper.jpg"


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:02:23 AM

Posted 12 May 2015 - 04:47 PM

It's the second thread today about a new Cryptoware. This is getting really out of hands.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Cody Johnston

Cody Johnston

    Bleepin' Adware Hunter


  • Security Colleague
  • 26 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 12 May 2015 - 04:49 PM

It's the second thread today about a new Cryptoware. This is getting really out of hands.

 

The worst part is these were the notable ones, for each of these there are a dozen more.



#4 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:04:53 PM

Posted 12 May 2015 - 05:18 PM

This is starting to get bad. The more money people pay up to these hackers, the more it will encourage them to make more and more forms of ransomware. But some people need these files and the only way to get them back is to pay up and as aura said this is getting really out of hands


they call me te java mayster


#5 devdaniel

devdaniel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 12 May 2015 - 05:21 PM

Will probably take until AES flaws (if any) are well known before this type of ransomware stops becoming profitable :\



#6 buddy215

buddy215

  • BC Advisor
  • 12,130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:23 AM

Posted 12 May 2015 - 05:55 PM

Grinler....

The links in this sentence...We also suggest a behavior detection program such as CryptoMonitor and HitmanPro: Alert. when clicked return to this topic page.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:23 AM

Posted 12 May 2015 - 06:02 PM

Sorry..fixed

#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:23 AM

Posted 13 May 2015 - 12:09 AM

Looks like it also tries to prevent the user from removing it by killing commonly used tools for removal.

#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:02:23 AM

Posted 13 May 2015 - 05:23 AM

I like the fact that it wants to kill that scam:

spyhunter


unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 gatto

gatto

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 13 May 2015 - 08:59 AM

ok I did pay to get my files back, and I did, it will create 2 file after you pay ..the first is a text file with the decryption key and instructions, the second is a .rar file with a decrition tool just in case some file didnt decripted.



#11 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:23 AM

Posted 13 May 2015 - 09:06 AM

ok I did pay to get my files back, and I did, it will create 2 file after you pay ..the first is a text file with the decryption key and instructions, the second is a .rar file with a decrition tool just in case some file didnt decripted.


The backup decryptor looks like this, correct?

backup-decrypter.jpg



#12 gatto

gatto

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 13 May 2015 - 09:13 AM

yes



#13 neiremaove

neiremaove

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 13 May 2015 - 04:55 PM

A better option than paid is to launch a kickstarter to hire a private detective to accommodate this bleep and pay a henchman to stick him a bullet in the neck



#14 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:04:53 PM

Posted 14 May 2015 - 03:19 AM

correct me if I'm wrong, but couldn't you just get the bitcrypt decrypter (the .rar one) from someone who paid and use it on you're computer?

edit: never mind just looked at the phto properly, turns out you need a key...


Edited by awesomecooldude101, 14 May 2015 - 03:20 AM.

they call me te java mayster


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:02:23 AM

Posted 14 May 2015 - 05:27 AM

edit: never mind just looked at the phto properly, turns out you need a key...


You need a private key for pretty much every Cryptoware. Hence why someone can't just pay the ransom once and give the decrypter to everyone else. Sure, you now have the a decrypting utility for your files, but without the private key used for their encryption, it's useless.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users