Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Stolen Azure AD key offered widespread access to Microsoft cloud services

Featured Deal: This deal gets you a refurbished 128GB Macbook Air for under $265

Latest Buyer's Guide: Best Comcast VPNs to prevent throttling

BitStak Ransomware Help & Support Topic (.bitstak)

Started by Demonslay335 , Jul 07 2016 10:25 AM

Please log in to reply

3 replies to this topic

#1 Demonslay335

Ransomware Hunter

Security Colleague
4,763 posts
OFFLINE

Gender:Male
Location:USA
Local time:06:45 PM

Posted 07 July 2016 - 10:25 AM

A new ransomware was discovered by MalwareHunterTeam that calls itself BitStak.

Victim's files are encrypted and renamed seemingly random names with the extension ".bitstak" appended. Folders are also renamed and have the extension added. For example, the file "Penguins.jpg" may be renamed "xfZdSbZU.aXd.bitstak".

When encryption has finished, the following screenlocker is shown.

The following folders are targeted.

C:/Program Files/
C:/Program Files (x86)/
C:/Users/ + UserName + /AppData/Roaming/
C:/Users/ + UserName + /Documents/
C:/Users/ + UserName + /Downloads/
C:/Users/ + UserName + /Videos/
C:/Users/ + UserName + /Music/
C:/Users/ + UserName + /Pictures/
C:/Users/ + UserName + /Desktop/
D:/
E:/
F:/
G:/
I:/
J:/
K:/

The following extensions are targeted.

.txt, .doc, .exe, .dat, .bat, .vb, .zip, .7z, .rar, .jar, .mp3, .wav, .save, .mp4, .cfg, .flv, .php, .com, .db, .bin, .reg

If you or someone you know has been hit by this ransomware, please post here.

~~I do not recommend paying the ransom.~~ :wink:

A decrypter is available here: http://www.bleepingcomputer.com/download/bitstakdecrypter/

Edited by Grinler, 28 July 2016 - 09:57 AM.

ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Demonslay335

Ransomware Hunter

Topic Starter

Security Colleague
4,763 posts
OFFLINE

Gender:Male
Location:USA
Local time:06:45 PM

Posted 07 July 2016 - 02:29 PM

I am releasing a decrypter for this ransomware. It will also rename files and folders that were changed. This tool will need to be ran on the infected system from the affected profile currently - I can add functionality to select an offline drive if needed.

Simply hit Decrypt Files, and the decrypter will do the rest. Optionally, you may check File -> Delete Encrypted Files to have the program delete the encrypted version of files when they have been successfully decrypted. A log file will be created with details on files and folders that were decrypted/renamed.

https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip

Please note, the password for the zip file is "false-positive". This is a temporary response to false positives being triggered by Google SafeBrowsing and antivirus.

Edited by Demonslay335, 17 January 2017 - 06:48 PM.

ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

Back to top

#3 CosmicCollider

Members
1 posts
OFFLINE

Gender:Male
Local time:04:45 PM

Posted 11 October 2016 - 01:54 PM

Hey there, thanks so much for all of your decryption programs! Very helpful. Several of yours are being blocked by google chrome as unsafe, including this one, and also by our firewall web filtering software. Any idea why that is happening? In particular, this one is blocked by google chrome as unsafe when you try and download it.

Back to top

#4 Demonslay335

Ransomware Hunter

Topic Starter

Security Colleague
4,763 posts
OFFLINE

Gender:Male
Location:USA
Local time:06:45 PM

Posted 11 October 2016 - 02:07 PM

Hey there, thanks so much for all of your decryption programs! Very helpful. Several of yours are being blocked by google chrome as unsafe, including this one, and also by our firewall web filtering software. Any idea why that is happening? In particular, this one is blocked by google chrome as unsafe when you try and download it.

I obfuscated my code to help protect it against the bad guys seeing how I decrypted it. Unfortunately, this leads to false positives alot since it's the same tactics the malware devs use. I don't have $$$ to buy a certificate to sign my own code and convince AV vendors to whitelist them. If it's downloaded from BleepingComputer, it is safe.

ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.