Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware (.btcware #_HOW_TO_FIX_!.hta READ ME.txt) Support Topic


  • Please log in to reply
99 replies to this topic

#1 david0353

david0353

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 10 April 2017 - 04:39 PM

Demonslay335 has released a decrypter for this ransomware, it can be found here:

 

https://download.bleepingcomputer.com/demonslay335/BTCWareDecrypter.zip

 

If the bruteforcer is unable to find a key with the files you have provided. it will ask if you'd like to decrypt files up to the filesize of the files you provided it. For example, if you provided an encrypted file and its original that were 20MB each, then the decrypter will be able to decrypt files 20MB and smaller. It will skip any files larger than the files you give it.

 

In the example below, I gave it a file pair where each file was 1,270,896 bytes.

 

2017-05-20_1923.png

 

Simply press Yes, then close the dialogue, and select a directory to decrypt. The larger file pair you provide it, the larger of files it will be able to decrypt; don't worry about the bruteforcer taking longer to try, it only grabs 16B from each file for trying to get a key.

 

If you already know the bruteforcer wasn't able to get a key before, you may go straight to this option by starting the bruteforcer, and then press "Cancel". This option will only be available for versions of the malware that this trick will work on (currently .[<email>].btcware, .[<email>].cryptobyte, and .onyon).

 

We're hoping to get a sample of the malware so we can support recovering the actual key but hope this helps people at least decrypt some of their more important files.

 

 

 

Hello,
 
Well, I guess someone opened the wrong email, but not sure what happened.
 
Every file has been encrypted with extension .btcware. So far I've done this:
 
1. Uploaded a sample to https://id-ransomware.malwarehunterteam.com. Results here:
https://id-ransomware.malwarehunterteam.com/identify.php?case=37402b9692fb97f6ba6cc9f998db8a1d6570d333
 
2. Above result led me to this topic:
http://id-ransomware.blogspot.com.co/2017/01/gog-ransomware.html
 
3. At first (about a week ago), every file on desktop was encrypted. Currently, I've noticed that files are not being encrypted anymore (put a .txt file on desktop and is still there after some restarts).
 
4. I tried to find a topic here with no luck, so I'm starting this one. Any help is appreciated. :)
 
I have samples from encrypted files and note.
 
Thanks.


Edited by xXToffeeXx, Yesterday, 10:12 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:38 PM

Posted 10 April 2017 - 04:54 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Amigo-A

Amigo-A

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:38 AM

Posted 11 April 2017 - 01:04 AM

Hello david0353!

There is also a description of BTCWare, as a variation of CrptXXX, but little information.
You have the original Ransom-notes?
This is  #_HOW_TO_FIX_!. hta and READ ME.txt

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#4 ronaldmirello

ronaldmirello

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 11 April 2017 - 04:01 AM

I think to be able to restore your files. send me a private message for encrypted files.



#5 david0353

david0353
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 11 April 2017 - 10:30 AM

Thank you guys, I already submitted a sample file and the two notes to https://www.bleepingcomputer.com/submit-malware.php?channel=168



#6 Amigo-A

Amigo-A

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:38 AM

Posted 11 April 2017 - 11:12 AM

david0353

I do not see it there. I need to send it personally.
Only a two Ransom-notes. Other files are not necessary.
My Email in your PM. 

Edited by Amigo-A, 11 April 2017 - 11:12 AM.

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#7 Amigo-A

Amigo-A

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:38 AM

Posted 12 April 2017 - 02:45 PM

Thank you, David

 

Added BTCWare Ransomware Description:
 
It was earlier

https://www.bleepingcomputer.com/forums/t/631963/new-ransomware/ 

 

Identical ransom-note 100%, similar email-address. 


Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#8 diireno

diireno

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 18 April 2017 - 05:04 PM

One of my clients is suffering a ransomware infection. I have uploaded a file and the note to the ID ransomware site. Will edit to add more information. I was able to recover what i believe is the virus. Let me know if an expert needs a copy for analysis.

 

The extension on all files is [no.xm@protonmail.ch].cryptobyte

 

The note reads as follows.
 

 

All your files have been encrypted
If you want to restore them, write us to the e-mail: no.xm@protonmail.ch
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

FREE DECRYPTION AS GUARANTEE
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 10Mb

Attention!
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss

Your ID:

OJtKiIc9ssVEIfoNoxjTYsQZCdTcZcfRK0/lb6xzO1SkqRj88CNHXT5uX1jtwL5fvq1xD1zPBYhU5aU0wOCUxLoAaLwcNcPzNFkjlQE47QSNeluEf9o8Vw4Oh/f1e30ozdHTCtTgpg7YPw0eOUv4c+BpYq2QdIrAYocVxkTl5zo=

 


Edited by diireno, 18 April 2017 - 05:17 PM.


#9 diireno

diireno

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 18 April 2017 - 05:08 PM

CrptXXX
This ransomware is still under analysis.

Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation.

Identified by

  • ransomnote_filename: #_HOW_TO_FIX.inf
Click here for more information about CrptXXX


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:38 PM

Posted 18 April 2017 - 05:27 PM

Rather than have everyone with individual topics, I merged yours with the appropriate support topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,888 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:38 PM

Posted 01 May 2017 - 09:32 AM

Victims may contact me for help with this ransomware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,888 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:38 PM

Posted 03 May 2017 - 09:49 AM

Thanks to huge help from mauronz, I've been able to create a decrypter for this ransomware.

 

2017-05-03_0950.png

 

https://download.bleepingcomputer.com/demonslay335/BTCWareDecrypter.zip

 

In order to derive your key, you will need an encrypted file and it's original. Go to Settings -> Find Key to load the files, and start the bruteforce. Once it finds a key, close the dialog and the key will be loaded, and ready for decrypting a selected directory.

 

Currently, the decrypter supports the extensions .[<email>].cryptobyte, .[<email>].cryptowin, .[<email>].theva, .onyon* and .[<email>].btcware. I am actively searching for other extensions of this malware to test against.

 

*Please see this post for more information about decrypting the .onyon variant: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4244649

 

The credit for actually cracking this ransomware goes to mauronz, I just helped put it into a prettier package. :)


Edited by Demonslay335, 21 May 2017 - 10:59 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 diireno

diireno

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 03 May 2017 - 04:56 PM

There is a flaw in the decrypter. It isn't searching out the encrypted files if the top directory is empty. Its not browsing folders.



#14 diireno

diireno

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 03 May 2017 - 05:06 PM

There are directories like Program Files that it will only scan the files in the top directory and not scan any of the inside folders. I am having to go through each folder one at a time to decrypt everything. I don't mind doing it, but it would be helpful if that was fixed.


Edited by diireno, 03 May 2017 - 05:35 PM.


#15 checker123

checker123

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 03 May 2017 - 05:56 PM

tnSFy1t.png

Stop bruteforce

RSA private key:
 

 
decrypt your id with this private key
format decrypted ID:
MEDIA-AESPASSWORD-DATE





7 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users