Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version.
The BTCWare author announced this leak on the Bleeping Computer forum thread that offers support for victims of BTCWare infections. BTCWare is one of the most active ransomware families today, which you can easily tell by the size of the support forum threat that has now reached 20 pages, compared to other ransomware support threads that are only 1-2 pages long.
The crook made his announcement on June 30, saying he plans to officially release the private decryption key in five days, but agreed to provide Gillespie with a copy of the private decryption key in advance after the researcher reached out to verify his identity.
For the past few days, Gillespie has worked to update his previous BTCWareDecrypter to support the new private key.
Gillespie says the private key he received from the BTCWare author allows the recovery of data from four versions of BTCWare ransomware.
BTCWare versions are tracked based on the file extension they add at the end of encrypted files. Below is a list of all the BTCWare file extensions Gillespie's decrypter can handle.
.[< email address >].btcware
.[< email address >].cryptobyte
.[< email address >].cryptowin
.[< email address >].theva
.[< email address >].onyon
.[< email address >].master
.onyon
.xfile
The last four extensions are the ones for which Gillespie added support, while the first four are from a previous version of the decrypter, released in mid-May when the BTCWare author also leaked another private key.
The BTCWare author has made a habit of releasing decryption keys whenever he moves to a new version of his ransomware and abandons old campaigns.
The author's mode of operation was confirmed once more when on July 2 Gillespie spotted a new BTCWare ransomware version that uses a new extension ( .[< email >].aleta ) and tries to call itself Aleta Ransomware.
BTCWare ransomware has a bug
Gillespie also warns users that the BTCWare ransomware also has a bug that affects how his decrypter works.
"There's a bug with the malware," Gillespie told Bleeping Computer yesterday in a private conversation. "If a file is less than 10MB and is encrypted, [the BTCWare ransomware] uses padding wrong. So when it's decrypted, there's up to 16B of garbage added at the end of small files that I can't do anything about. Files over 10MB are completely fine.
"My decrypter will warn if it detects this to be the case," Gillespie added.
Users who want to recover files locked by one of the above-mentioned BTCWare versions can download the BTCWareDecrypter app from here. The latest version is v1.1.0.1.
Users who don't know what type of ransomware has locked their data can use the ID-Ransomware service to identify the ransomware.
How to Decrypt Files Encrypted with the Master Extension
Victims of the Master BTCWare Ransomware variant can be identified by their files being encrypted and renamed to the format of [filename].[email_address].master. For example, a file named test.jpg renamed and encrypted by the Master variant as test.jpg.[xwa@protonmail.ch].master.
You can see an example of a folder of encrypted files below:
I have also included a full list of email address thanks to Michael Gillespie of ID-Ransomware at the end of this article.
To decrypt files encrypted by the Master ransomware, you need to first download Michael's BTCWare Decrypter from https://www.bleepingcomputer.com/download/btcwaredecrypter/ and save it to your desktop.
Once downloaded, extract the zip file and double-click on the BTCWareDecrypter.exe icon on your desktop. The program will load and you will be presented with the main screen shown below.
Before starting, you need to make sure that you are using version 1.1.0.1, which supports the keys recently released for the Master variant. To check the version of the decryption tool, you can look at the bottom right of the decryptor window as shown in the image above.
When you are ready to decrypt your files, we first need to select a ransom note. Click on the Settings menu and then select Decrypt Key File or Note. This will bring up a Open dialog box. In the bottom right of the dialog box is a drop down menu, which you should change to Ransom Note as shown in the image below.
You will now be shown the ransom notes in the selected folder. Select a ransom note, which in my test was called !#_RESTORE_FILES_#!.inf, and then click on the Open button.
You will now be back at the main BTCWareDecrypter screen, but the private key for your encrypted files will now be loaded and ready to be used to decrypt your files.
You should now click on the Select Directory button and select the drive you wish to decrypt.
Once a drive is selected, click on the OK button. Once again, you will be back at the main decrypter screen, but this time the Decrypt button will be available.
To begin decrypting your files, click on the Decrypt button. The decrypter will now begin to decrypt your files as shown below. This process can take quite a while, so please be patient while it decrypts the drive.
When finished the decryptor will display a count of the files that were decrypted and a warning about a bug in the ransomware that was described above.
Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted Master files into one folder so you can delete or archive them.
You can now close the decryptor and use your computer as normal. If you need help using this decrypter, please ask in our BTCWare Help & Support Topic.
Known Master Email Addresses:
bahebah@protonmail.com
black.block@qq.com
corposcop@airmail.cc
cry-24hours@bigmir.net
crypthelp@qq.com
cryptoservice99@torbox.danwin1210.me
darkwaiderr@cock.li
decrsupports@cock.li
dudaryda@protonmail.ch
help@onyon.info
info45@get-flash-microsoft-player.com
info@zayka.pro
kraken@terrov.eu
kry.right@india.com
look1213@protonmail.com
newnintendoss@qq.com
niga@westcost.xyz
nkr.siger@india.com
onyon@protonmail.ch
pardon1@bigmir.net
predatorthre@bigmir.net
prt.nyke@protonmail.ch
smartstop@qq.com
teroda@bigmir.net
unlocking.guarantee@aol.com
vargbtc@protonmail.ch
walmanager@qq.com
westnigger@india.com
xwa@protonmail.ch
Comments
DeltaDon - 7 years ago
Still unable to decrypt master files from black block at qq email address.
khk10 - 7 years ago
"Still unable to decrypt master files from black block at qq email address. "
Any updates?
Demonslay335 - 7 years ago
It ended up where something happened with his AV that wiped out the ransom note, leaving 0 bytes - so it was impossible to recover the key because it was left no-where on the system. Have to have the encrypted key (Victim ID) in order to decrypt for this variant.
BonoV - 7 years ago
BTCWare Decryptor Version 1.1.0.13. Have the file FILES ENCRYPTED.txt on the desktop with the following text "To decrypt files, write to my email black.block@qq.com ore black.block@qq.com".
Decryptor says: "Unable to decrypt AES key, encrypted by another RSA key".
The files are decrypted like this: windows-version.txt.id-F88A798D.[black.block@qq.com].arena
Some chance to decrypt files?
Thanks.
Demonslay335 - 7 years ago
Your files were not encrypted by BTCWare, they were encrypted by CrySiS. If you uploaded an encrypted file to ID Ransomware, it will identify that for you. CrySiS is not decryptable, and you shouldn't have your RDP exposed to the world.
feralswain - 7 years ago
This successfully rescued my files that were encrypted with this extension:
.[stopstorage@qq.com].master
Perhaps stopstorage@qq.com should be added to the Known Master Email Addresses list.
Big thanks to Michael Gillespie and everyone.
domban - 7 years ago
Hi it doesn't work for me on when I do it by "find a key" : [crypthelp@qq.com].master
But I think it is because I delete !#_RESTORE_FILES_#!.inf a few days ago .
For someone who have succesfully worked, is it possible to send me !#_RESTORE_FILES_#!.inf ?
Thank you
Demonslay335 - 7 years ago
The AES key is different per user. It is impossible to decrypt if you deleted all of your ransom notes. If it was the same for everyone, I would have just included the AES key...
domban - 7 years ago
Hi I find my ransom key deleted and your decrypter works very good !!!
Thanks again, you're a great man ;-)
Demonslay335 - 7 years ago
Great, glad to hear you were able to recover your files. Be sure to fix your backup scheme, and put RDP behind a VPN.
willhug - 7 years ago
i'm using method above, downloaded the version of BTCWD 1.1.0.1, checked on id-ransomware.malwarehunterteam that my malware variant is decryptable, but receiving "Unable to decrypt AES key, encrypted by another RSA key" for files encypted & renamed to *.[help@onyon.info].master
Demonslay335 - 7 years ago
Can you share your full Victim ID from the ransom note?
willhug - 7 years ago
BbY4mYQevscp1Br3GMhWcqH7+DIC82sfDcpKO4swHj+/o0REYaDVKzshM3ZZsbjBsu98Pvc+eWIoENLROZ5hVm/R9qliWpL8nw2klCwGTnrr/nQBXf4YVg3YaqrQYV7LvFfOMk6pe7qAFmwYj5c7BM5SR+Oh7x1z6+Uyi9oFdxM=
Demonslay335 - 7 years ago
I'm afraid the decrypter is correct. I tracked down a sample of the malware with that email address, and they used the same key as .aleta, so I'm afraid there is no way to decrypt your files at this time.
exekutive - 7 years ago
My computer was infected with ransomware on June 24. Encrypted files end with ".[help@cryptmaster.info].master". I tried this tool (1.1.0.1) to decrypt the key from ransom note, but it says "Unable to decrypt AES key, encrypted by another RSA key". I tried the "find key" function with an encrypted file, and an original backup I had, but it just says "No key found: unsupported version". I also got a positive result from the id-ransomware website.
aelbanna - 7 years ago
my server was hit with the Aleta Ransomware [black.mirror@qq.com].aleta, Is there a decryption key for this yet?
campuscodi - 7 years ago
Not yet. Not for this one. The author usually releases decryption keys every few months.
Make a copy/clone of the hard drive and hang tight
skyrex - 7 years ago
Also got hit by the [black.mirror@qq.com].ALETA.
I actually caught it in action. So I've got encrypted & un-encrypted samples, as well as the executable used to encrypt, and a copy of the encryption key to give them in return for the decryption key...
Is this information worth anything to anyone for the greater-good?
Lectrik - 7 years ago
Yep just hang tight!
I got hit with the BTCWare Master variant with every file being "<filename>.[newnintendoss@qq.com].master" on July 3rd because my dumbass left my softwall firewall (Tinywall) off and my RDP port open on default 3389 so some friends could play on a server I was hosting. I was fortunate enough to sit down at my computer while it was literally in the process of encrypting my files and was able to stop it by rebooting and closing the RDP for safety as soon as I noticed it. It still got pretty far. I have 12Tb of internal storage and 2 external 2Tb drives but gladly the external drives were turned off. The kicker was that one of my internal drives was my backup image drive so it was able to encrypt my Macrium backup images! Doh!
Shortly thereafter the key was released. And this 1.1.0.1 version does work (I tried practically every decrypter out there before this, including using an original and encrypted file to do brute force but without any success).
The bad thing about this particular variant is there is a padding bug with it, so many files end of with up to 16 bytes of garbage at the end. Some do, some don't. In a lot of cases it has no effect, e.g. with pictures, etc. There were a few files on one of my drives I didn't have a backup of, and although they were less important they did seem to all work just fine even with the padding error, except that anything that was a text file had some garbage at the end that I had to manually delete (or just ignore). Hopefully you don't have this issue
Fortunately, once I had the key I was able to decrypt my backup files and the important stuff I was able to simply restore by restoring a drive directly or mounting my image and copying and pasting folders after deleting the encrypted folder (like My Documents for instance).
So lesson learned. This is the first time I have ever been hacked in any way successfully, I'm pretty anal about security most of the time. A word of warning, AVG did NOTHING to stop it. It was completely disabled and inert by the virus. I have now purchased Malwarebytes Pro which I've always used the free version in the past to remove viruses from other people's machines (and in this case from mine in safe mode).
I know this is long winded but my point is BACKUP OFTEN and externally or off-site! I love Macrium Reflect, it's my go to now and the image mounting feature is a Godsend. When you image your drives image to an external drive and then UNPLUG IT! I prefer to use an external dock with standard SATA desktop drives. Internal drives have really come down in price and I now have several of them in a fireproof case for backups and only have to have one dock which I can either remove the drive or simply turn off the switch.
Trust me, there's few things worse than seeing that not just your files but your backups have been encrypted right after thinking "Good thing I JUST made a backup!"
Demonslay335 - 7 years ago
Glad to hear you got your files back, but do not let an anti-malware lead you into a false sense of stopping someone who got in via RDP. If someone is in the system and has control of it, nothing on the planet will stop them from disabling whatever defenses you have in order to manually run their malware (except, you know, you pulling the plug). Do NOT have RDP exposed to the internet. Use a more secure remote solution if your buddies need to connect to play a game, such as TeamViewer. RDP should only be accessible on a LAN or via VPN.
kishorekumar690 - 7 years ago
Hello all,
I got hit by this .master ransomware and tried decryption but nothing positive. It seems my version of ransomware is bit different as what i could see in the screenshots shared by you. I am also sharing my screenshots to make it easier to understand the type of ransomware.
https://drive.google.com/open?id=0B7E9rnf_vX_pcU1wZC1VZWdOUWM
I would be glad if somebody could just help in decrypting the files.
Thanks in advance.
Kishore Kumar
Demonslay335 - 7 years ago
Your files were encrypted multiples times over, possibly with different keys. Please zip up everything in that directory and share them with me via PM. The decrypter would be able to decrypt multiple layers if they were all the same key, but there may be a second key in the encrypted ransom note.
litesec - 7 years ago
also using look1213@cock.li
MtlSoft - 7 years ago
My customer was struck with .Aleta files.
We could recover most of it, but we don't have a key in the .inf file, so can't use the decrypter.
However, the hacker directly accessed the computer to start the infection, and left his Google account opened.
GFFYFORD@GMAIL.COM
Luc Gagnon 2:38 PM (18 hours ago)
Hi there. I see you illegally accessed our customer's server, and a ransomwar...
Geoffrey Radford 2:56 PM (17 hours ago)
Please don't am afrrraid!!! LMAO
Demonslay335 - 7 years ago
They stopped leaving the victim ID in the ransom note needlessly and drop it in key.aleta now. Still no way to decrypt it without their private RSA key, but they just made it harder for victims to give them what is needed to get the AES key...
alexrjcs - 7 years ago
I'm having the same problem, the description does not work for me, all my files were encrypted yesterday at 7:00 PM Brazil
Demonslay335 - 7 years ago
If you were encrypted recently, it is not the .master variant. They stopped using that extension about a week or two before the key was given to me from what I can tell. The .aleta variant cannot be decrypted without their new private RSA key.
alexrjcs - 7 years ago
I have the key generator that the criminal himself sent me so he can decrypt my files. Can that help?
https://www.sendspace.com/file/2v4tgz
I also have the encrypted file in another decryptofado
Demonslay335 - 7 years ago
That's just a scanner they give victims to find the ID, which is what's in your ransom note. Some variants store it in a file such as "aleta.key". It's still your key encrypted by their RSA public key; you have to give it to them in order for them to decrypt it with their private RSA-1024 key. It's of no real use.
geosedra - 7 years ago
I've BTCWare Master Identified by :
- ransomnote_filename: !#_RESTORE_FILES_#!.inf
- ransomnote_email: help@cryptmaster.info
- sample_extension: .[<email>].master
- victim id : oVUlZBji9W5sI9vhsAyHcgMPVJXAvUhwwLAXkikT8ZqIpkySqiy8TeYdKsP+3TFymJJNZmouBXFmBv3Ls9pEZLdyaYooHk2GzZYIynVnSj/Yn5TLfzCualKH1kAz8oEEGZRDMIGjBDLc+psRkUAM210d1v0Oaqe2NUEHDYoy0Uc=
encrypted file example : https://www.sendspace.com/file/l2n4k7
and BTCWareDecrypter 1.1.0.1 is not able to decrypt my files.
Demonslay335 - 7 years ago
I'm afraid that variant used the new RSA key (same as .aleta). There's no way to decrypt your AES key at this time.
alecardoso - 7 years ago
Alguma novidade em relação ao Ransomware de extensão .ALETA ?
Demonslay335 - 7 years ago
No, .aleta is not decryptable. It can only be decrypted by the criminal's new RSA private key.
geosedra - 7 years ago
I found tracks for the criminal
he sent a post to
http://www.helpcommunity.com/ehelpapi.asp?cmd=WebSave
with data=2A0C02140000004D696E696D756D20726571756972656D656E74730D02140000004D696E696D756D20726571756972656D656E747311021500000054726F75626C6573686F6F74696E672053746570731202140000004D696E696D756D20726571756972656D656E747313020A00000045415F48656C705F554B15020E00000045415F48656C705F554B2E68746D1703740100003C3F786D6C2076657273696F6E3D22312E30223F3E0D0A3C21444F43545950452053595354454D20226568656C706F70742E647464223E0D0A3C46494C452D4F5054494F4E532046494C452D56455253494F4E3D2232222046494C452D4B45593D2232353233636539385F633137355F343462615F626336645F363635626663643937623063223E0D0A3C2F46494C452D4F5054494F4E533E0D0A3C4548454C502D4F5054494F4E5320464F524D41542D56455253494F4E3D22312E30223E0D0A203C4F5054494F4E5320454E41424C45443D225945532220454D4245444445443D2259455322204D41494E2D57494E444F572D4F4E4C593D224E4F2220434F4D4D554E4954592D4E4F544946593D224E4F222046495253542D504147453D224E4F542D534554223E0D0A203C2F4F5054494F4E533E0D0A203C425554544F4E2D4C4142454C3E5765625365617263680D0A203C2F425554544F4E2D4C4142454C3E0D0A3C2F4548454C502D4F5054494F4E533E18010400000002000000702A
Philip_G - 7 years ago
Hello,
I am unable to install this software on Windows Server 2008. is this compatible?
Demonslay335 - 7 years ago
.NET Framework 4.5.2+ is the only requirement for any of my decrypters. Sometimes you may have to run as administrator.
domban - 7 years ago
Yes it works on windows sever, don't need to install , use it
mzeeshan82 - 7 years ago
Dear All,
Please help me, .aleta virus infect our entire network and all network shares file infected this virus, we lost our all data, they left the note i apply btcware solution and all step in interenet but we still no success, please please please if some one have key or any workeable procedure please inform me ealier, thanks in advance our rasomeware note and id mention below
[WHAT HAPPENED]
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: payfordecrypt@qq.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
https://localbitcoins.com/buy_bitcoins
[ATTENTION]
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files
Your ID:
IQsww8mIPraUCI9CrOMFIIziuO3PqYO0xeRsZQ8JVGaygsPMoBm1agJV0kpr/CR2ZTkix3bfvKPupBek5kHoDpK8CSbItNrSkd0lVAsTKuOcd9ykxucPuBNlyBJBZZq9xdljvoyfyycYVv0gq1FfEHJ+BlJ5ESHOLGMjCF6lEEY=
tigro11 - 6 years ago
I met the following cryptolocker, I'm desperate, tell me there is a solution
this is the name of the infected file WRar550it.exe.id-78680E26.[stopstorage@qq.com].java
the computer has left the executable file that encrypts the data. I can keep it if it can help
Demonslay335 - 6 years ago
Currently distributed versions of CrySiS/Dharma are not decryptable. Do not leave RDP exposed to the world.
ade4ola77 - 3 years ago
I have kept a copy of my encrypted files since July 2017 hoping that the decryptor will be available one day. My files are encrypted with the [black.mirror@qq.com].aleta ransomware. I have downloaded Michael's decryptor version 1.1.0.17 which has the .aleta as one of the variants it can decrypt but for some reason, when I click on the Decrypt Key or Note to load the ransomware note, I get the error Unable to decrypt AES key, encrypted by another RSA Key.
Any help will be highly appreciated.
Demonslay335 - 3 years ago
Can you send me an encrypted file and your ransom note?
ade4ola77 - 3 years ago
"Can you send me an encrypted file and your ransom note?"
Here is the link to both the ransom note and the encrypted file.
https://drive.google.com/drive/folders/1vhC1r-Nycr2hyt_ocYNGGY5LOnqoyu44?usp=sharing