Users that have had their files encrypted via older versions of the BTCWare ransomware can recover their files for free after security researchers created a decrypter for this ransomware family. Work on this decrypter started at the end of April.

Following the release of an initial version of th BTCWare Decrypter at the start of the month, a user released the master decryption key for the BTCWare ransomware on the BleepingComputer forums. While we don't know if this user — calling himself checker123 — is the author of the BTCWare ransomware or a member of a competing ransomware squad sabotaging their competition, we're happy either way. We suspect that checker123 is the ransomware's author, even if he never responded to our request for comment.

BTCWare is a very active ransomware strain

The BTCWare ransomware made its presence felt on the malware scene at the start of March when security researchers MalwareHunter and Karsten Hahn stumbled upon its first version, known initially as CrptXXX.

CrptXXX ransom note
CrptXXX ransom note

A new version — which we later start calling BTCWare or CryptoByte — appeared a week later, and a new variant after that.

BTCWare ransom note
BTCWare ransom note

While not as prevalent as Cerber or Spora, BTCWare was more successful than most people thought. Based on this infection graphic provided by the ID-Ransomware service, the ransomware averaged around ten infections per day, which would have put it on par with some of its more famous brethren, such as Sage and Locky.

BTCWare infections statistics
BTCWare infections statistics
Ransomware infection stats at the start of April 2017
Ransomware infection stats at the start of April 2017

Since its appearance, we've seen three major BTCWare version, recognizable via the file extension they added at the end of the files they encrypted.

.[< email address >].btcware
.[< email address >].cryptobyte
.[< email address >].cryptowin
.[< email address >].theva

For two of these, security researcher Francesco Muroni had already created a script that could brute-force the encryption and obtain a decryption key. The two variants were .btcware and .crptobyte. Since the script was hard to use by regular users via the command line, security researcher Michael Gillespie created a nice GUI.

BTCWare Decrypter

After checker123 released the BTCWare master key — a universal decryption key for all victims — Gillespie tested its validity and discovered it worked on .btcware and .cryptowin variants.

This means there's now a way to decrypt the first three major BTCWare versions, either by using the master decryption key or by using the previous method of brute-forcing the encryption scheme.

Over the past two weeks, Gillespie has worked to update the previous BTCWare Decrypter to include the master key released today by checker123, altought by the time the researcher finished optimizing the decrypter, he discovered a way to brute-force the third version as well.

Currently, the BTCWare Decrypter uses the brute-forcing method by default, as it is more reliable. Users affected by BTCWare can use this decrypter to recover their files.Users can download the decrypter by clicking here. Below are Michael's instructions:

In order to derive your key, you will need an encrypted file and it's original. Go to Settings -> Find Key to load the files, and start the bruteforce. Once it finds a key, close the dialog and the key will be loaded, and ready for decrypting a selected directory.

Decrypter will be updated with support for Onyonware

This article was initially written on May 4 but was not published as Gillespie worked to optimize the decrypter. Further, as time went by, it became apparent why the BTCWare master key leaked on our forum.

The BTCWare author(s) updated their ransomware with a new version just days later, on May 9, a version that appends the ".[< email >].theva" file extension at the end of encrypted files. Furthermore, yesterday, on May 15, he/they also created and launched a new ransomware named Onyonware.

In hindsight, releasing the master key for the older BTCWare versions was not that damaging to their operation. Ransomware authors sometimes release master decryption keys when they're done with one ransomware variant. This is mostly because of good will and because by that point, they moved on to a new ransomware version, and victims who intended to pay the ransom for an older version, had already paid up.

Today, on Twitter, Gillespie confirmed the BTCWare Decrypter can be adapted to support Onyonware. The researcher is still investigating if he can adapt it to work with the fourt BTCWare version, the .theva version.

Forum post by cipher123

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCcLarR70p/JVvcJLtMAux3+xw7pftUqJE/mQGgz8FZTf5svodM
KZBVo6T9gcE9cFR9DsrIWhQ4PmbYbkxqL1f4Kdi/SXSZplZ+ZJ0JzRAW/0PPe+i+
obKQjPr25iTqQDfP73aXpg2N8N9uiw5oh/nCgjnP4zinN17U4Sdmal2eywIDAQAB
AoGAUI/GA9DZrsiIoABalRUVAbcIk0RFZyAk/JdinZ9Nb1GqIlIN3J28FFD7tMEP
+y9Mhc3xkHPW5kRaLN6IkGWnjE9B6mGyjFzT6qHo1TpIVvslo6gEcqlPrPZMzrxh
S1OrIsM7jRmtO9rKwHZnGmABilb6Fktg+jS+1PuGA/SdZIECQQDMnu9KMUUrk6LD
ZYVmhBun380QuEfWdJqRoyJx2qxu+1pFFQrmhNYy7fjqwDqj9l6qJkhzjhuGE39m
viOLltSrAkEAw2TXxQHjD8IHblz6V9/U2JcK9pXXVN1BpcoT52DixaGkR6G3uJhS
JcJdCWbIzY2xmIYMN/PObLGQ+ysfzeEeYQJANZvGMXfrGVmaoPquEoe1/ythPGor
WAJApLtKwO17k7ACnGrA6lgPDlTOjCJEusRHVOimvq+SgnQFQtO52E5x9QJAVPrL
2PPsJBNYFgi8HHHN6XEvpHUg1Njxz0AnDe+WUSvu/fR4qgEdYSy6N/eLB9NDVTmf
oMoZki5cBtEHoQvyoQJAaPblJj1ltbmKrKzIihD0gP2Kv0FY++EfhUcw089K5t5C
5U4Gk3cHq1qvflDWYw2Y4cZblC/mCConK5mEHEFjAg==
-----END RSA PRIVATE KEY-----