Demonslay335 has released a decrypter for this ransomware, it can be found here:
If the bruteforcer is unable to find a key with the files you have provided. it will ask if you'd like to decrypt files up to the filesize of the files you provided it. For example, if you provided an encrypted file and its original that were 20MB each, then the decrypter will be able to decrypt files 20MB and smaller. It will skip any files larger than the files you give it.
In the example below, I gave it a file pair where each file was 1,270,896 bytes.
Simply press Yes, then close the dialogue, and select a directory to decrypt. The larger file pair you provide it, the larger of files it will be able to decrypt; don't worry about the bruteforcer taking longer to try, it only grabs 16B from each file for trying to get a key.
If you already know the bruteforcer wasn't able to get a key before, you may go straight to this option by starting the bruteforcer, and then press "Cancel". This option will only be available for versions of the malware that this trick will work on (currently .[<email>].btcware, .[<email>].cryptobyte, and .onyon).
We're hoping to get a sample of the malware so we can support recovering the actual key but hope this helps people at least decrypt some of their more important files.
I'm getting overwhelmed with requests of the same questions. Please read my posts, I won't be able to respond to each individual for a while here.
If the decrypter tells you it could not derive a key or keystream, then it is the AES version of the malware, and I cannot decrypt your files*.
*The exception is if you did not reboot the server since infection and have the .master variant. I have a slim chance of acquiring a key by extracting some information from your server. I am still experimenting with this method, and have not had a successful case yet, so I would not bank on it. Only PM me if this is your case, and you have not rebooted. I will then respond with instructions when I am able to; do not reboot until you have followed my instructions. If you have rebooted, then there is nothing I can do to decrypt your files.
.blocking is different, and is completely secure, no way to decrypt it at all. The only chance is if the RSA private keys are leaked for each variant (there's about 4 or 5 of them total that I'm aware of so far).
As for "...an inexplicable reason my PC was encrypted by BTC Ransomeware..."... they hack RDP. Simple as that. Use stronger passwords for every account that has RDP privileges, put it completely behind a firewall, and use VPN only. And have better backups while you're at it.
Well, I guess someone opened the wrong email, but not sure what happened.
Every file has been encrypted with extension .btcware. So far I've done this:
1. Uploaded a sample to https://id-ransomware.malwarehunterteam.com. Results here:
2. Above result led me to this topic:
3. At first (about a week ago), every file on desktop was encrypted. Currently, I've noticed that files are not being encrypted anymore (put a .txt file on desktop and is still there after some restarts).
4. I tried to find a topic here with no luck, so I'm starting this one. Any help is appreciated.
I have samples from encrypted files and note.
Edited by quietman7, 08 June 2017 - 01:19 PM.