Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BTCLocker (BTC) Ransomware Support Topic - .btc, BTC_DECRYPT_FILES.txt


  • Please log in to reply
15 replies to this topic

#1 TechGuru11

TechGuru11

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 03 November 2016 - 11:26 AM

Hello,
 
I used ID ransomware and it could not determine the variant. The ransom note is: https://www.sendspace.com/file/iri3l9 here is an encrypted file: https://www.sendspace.com/file/zw1kav
 
Extensions are .btc (also tried jiggsaw decryptor)
 
Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:53 AM

Posted 03 November 2016 - 11:30 AM

Ah, so you were the one submitting that one a few times. Saw it on the early warning system and put a hunt out for it this morning. :)

 

We have not found any samples of the malware yet. Any chance you can locate it or the infection vector? It definitely is something new.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 TechGuru11

TechGuru11
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 04 November 2016 - 09:00 AM

This was my first post on the topic :)

 

I think I figured out what this is, it's the same dev as the one with .scl extension which is not decryptable I believe. This hacker also will increase the bitcoin amount after you pay so I would advise anyone to be very careful or not pay. 



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:53 AM

Posted 04 November 2016 - 09:31 AM

I know you haven't posted here, but I got alerts on that ransom note. When a text-looking file goes unidentified on ID Ransomware, it searches for any key words or address patterns that look like a potential ransom note, and alerts our team. :)

 

I've added detection for it now that will point victims to this topic.

 

It is also notable that the extension is all-caps ".BTC".

 

The only ransomware with a ".scl" I have listed in ID Ransomware is CryptoMix, with the pattern ".id_<id>_email_<email>.scl".


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 TechGuru11

TechGuru11
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 04 November 2016 - 11:16 AM

Ah I see, that's cool you get alerts for that. And yes you are correct. This is the format: horseracing handicapping workbook.xls.id_c46fb2e69d9affd0_email_cx9@post.com_.scl

 

The dev is definitely the same. I can tell from how they communicate via email with onetimesecret messages and the same format of the password they give as well as the signatures. I don't think it will be recoverable unfortunately. 



#6 FrankyG

FrankyG

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 19 December 2016 - 08:42 AM

I just got hit with this virus as well. Any luck with decryption yet?



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:53 AM

Posted 19 December 2016 - 09:24 AM

We haven't found a sample of the malware to analyze yet. Do you know how you got infected, and can you locate the malicious executable?

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 FrankyG

FrankyG

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 19 December 2016 - 09:32 AM

Demonslay335

 

I have to executable.Just ran a very interesting test on another pc.I can send you the files.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,070 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:53 AM

Posted 19 December 2016 - 09:59 AM


Samples of suspicious executable's (installer, malicious files) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 FrankyG

FrankyG

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 19 December 2016 - 10:08 AM

I will upload the files tomorrow when I get back to the office. I also discovered both the public and private keys on the pc i tested the virus on today. Will upload those aswell

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,070 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:53 AM

Posted 19 December 2016 - 11:20 AM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 FrankyG

FrankyG

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 20 December 2016 - 12:25 AM

Quiteman7

 

I have uploaded the exe file. 



#13 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 20 December 2016 - 02:40 AM

Hi FrankyG.

 

This is the file you submitted: https://virustotal.com/en/file/1f366a3b20b4d07d4a70e9f04c2509115eee5f470ba5631db85197f8cf284fcf/analysis/

 

The ransomware is called BTCLocker and comes as a tool that has to be operated manually by choosing options on the command line. That makes it likely that the system is infected by a backdoor and the attacker used that backdoor and the BTCLocker command line tool to encrypt the files.

 

The malware will place both key files named key.public and key.private on the desktop. Can you still find those files on your system? The attacker might have forgotten them by chance. If you run the malware file you can choose between encryption and decryption. I would actually suggest that you backup the encrypted files, then run this ransomware again, choose decrypt and see if that works.

 

Best regards

Karsten



#14 FrankyG

FrankyG

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 20 December 2016 - 05:24 AM

Karsten

 

The exe file was the only file left on the system. Both private and public key were removed from the system. 

 

Just running the decryption at this stage "decrypts" the files and it is shown as the original file extensions again on the system, but it cannot be opened and remains corrupt.



#15 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 20 December 2016 - 10:40 AM

In that case you can only wait for someone to publish a decrypter.

Fabian just told me that BTCLocker is a Radamant variant.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users