BTCWareDecrypter

Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version.

The BTCWare author announced this leak on the Bleeping Computer forum thread that offers support for victims of BTCWare infections. BTCWare is one of the most active ransomware families today, which you can easily tell by the size of the support forum threat that has now reached 20 pages, compared to other ransomware support threads that are only 1-2 pages long.

The crook made his announcement on June 30, saying he plans to officially release the private decryption key in five days, but agreed to provide Gillespie with a copy of the private decryption key in advance after the researcher reached out to verify his identity.

Forum posts from BTCWare author

For the past few days, Gillespie has worked to update his previous BTCWareDecrypter to support the new private key.

Gillespie says the private key he received from the BTCWare author allows the recovery of data from four versions of BTCWare ransomware.

BTCWare versions are tracked based on the file extension they add at the end of encrypted files. Below is a list of all the BTCWare file extensions Gillespie's decrypter can handle.

.[< email address >].btcware
.[< email address >].cryptobyte
.[< email address >].cryptowin
.[< email address >].theva
.[< email address >].onyon
.[< email address >].master
.onyon
.xfile

The last four extensions are the ones for which Gillespie added support, while the first four are from a previous version of the decrypter, released in mid-May when the BTCWare author also leaked another private key.

The BTCWare author has made a habit of releasing decryption keys whenever he moves to a new version of his ransomware and abandons old campaigns.

The author's mode of operation was confirmed once more when on July 2 Gillespie spotted a new BTCWare ransomware version that uses a new extension ( .[< email >].aleta ) and tries to call itself Aleta Ransomware.

BTCWare ransomware has a bug

Gillespie also warns users that the BTCWare ransomware also has a bug that affects how his decrypter works.

"There's a bug with the malware," Gillespie told Bleeping Computer yesterday in a private conversation. "If a file is less than 10MB and is encrypted, [the BTCWare ransomware] uses padding wrong. So when it's decrypted, there's up to 16B of garbage added at the end of small files that I can't do anything about. Files over 10MB are completely fine.

"My decrypter will warn if it detects this to be the case," Gillespie added.

Users who want to recover files locked by one of the above-mentioned BTCWare versions can download the BTCWareDecrypter app from here. The latest version is v1.1.0.1.

Users who don't know what type of ransomware has locked their data can use the ID-Ransomware service to identify the ransomware.

How to Decrypt Files Encrypted with the Master Extension

Victims of the Master BTCWare Ransomware variant can be identified by their files being encrypted and renamed to the format of [filename].[email_address].master. For example, a file named test.jpg renamed and encrypted by the Master variant as test.jpg.[xwa@protonmail.ch].master.

You can see an example of a folder of encrypted files below:

Master Encrypted Files
Master Encrypted Files

I have also included a full list of email address thanks to Michael Gillespie of ID-Ransomware at the end of this article.

To decrypt files encrypted by the Master ransomware, you need to first download Michael's BTCWare Decrypter from https://www.bleepingcomputer.com/download/btcwaredecrypter/ and save it to your desktop.

Once downloaded, extract the zip file and double-click on the BTCWareDecrypter.exe icon on your desktop. The program will load and you will be presented with the main screen shown below.

BTCWare Decrypter
BTCWare Decrypter

Before starting, you need to make sure that you are using version 1.1.0.1, which supports the keys recently released for the Master variant. To check the version of the decryption tool, you can look at the bottom right of the decryptor window as shown in the image above.

When you are ready to decrypt your files, we first need to select a ransom note. Click on the Settings menu and then select Decrypt Key File or Note. This will bring up a Open dialog box.  In the bottom right of the dialog box is a drop down menu, which you should change to Ransom Note as shown in the image below.

Select Ransom Note
Select Ransom Note

You will now be shown the ransom notes in the selected folder. Select a ransom note, which in my test was called !#_RESTORE_FILES_#!.inf, and then click on the Open button.

You will now be back at the main BTCWareDecrypter screen, but the private key for your encrypted files will now be loaded and ready to be used to decrypt your files.

Key Loaded
Key Loaded

You should now click on the Select Directory button and select the drive you wish to decrypt.

Select Drive
Select Drive

Once a drive is selected, click on the OK button. Once again, you will be back at the main decrypter screen, but this time the Decrypt button will be available.

Decrypt Available
Decrypt Available to Use

To begin decrypting your files, click on the Decrypt button. The decrypter will now begin to decrypt your files as shown below. This process can take quite a while, so please be patient while it decrypts the drive.

Decrypting Files
Decrypting Files

When finished the decryptor will display a count of the files that were decrypted and a warning about a bug in the ransomware that was described above.

Decryption Complete
Decryption Complete

Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted Master files into one folder so you can delete or archive them.

You can now close the decryptor and use your computer as normal. If you need help using this decrypter, please ask in our BTCWare Help & Support Topic.

 

Known Master Email Addresses:

bahebah@protonmail.com
black.block@qq.com
corposcop@airmail.cc
cry-24hours@bigmir.net
crypthelp@qq.com
cryptoservice99@torbox.danwin1210.me
darkwaiderr@cock.li
decrsupports@cock.li
dudaryda@protonmail.ch
help@onyon.info
info45@get-flash-microsoft-player.com
info@zayka.pro
kraken@terrov.eu
kry.right@india.com
look1213@protonmail.com
newnintendoss@qq.com
niga@westcost.xyz
nkr.siger@india.com
onyon@protonmail.ch
pardon1@bigmir.net
predatorthre@bigmir.net
prt.nyke@protonmail.ch
smartstop@qq.com
teroda@bigmir.net
unlocking.guarantee@aol.com
vargbtc@protonmail.ch
walmanager@qq.com
westnigger@india.com
xwa@protonmail.ch