A new variant of the BTCWare ransomware was discovered by ID-Ransomware's Michael Gillespie that appends the .[email]-id-[id].wyvern extension to encrypted files. The BTCWare family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop services. Once they are able to gain access to a computer, they will install the ransomware and encrypt the victim's files.
If you find that are infected with this ransomware, do not shutdown your computer as there may be a way to decrypt it. Instead contact Michael Gillespie for instructions.
For the most part, this the Wyvern variant is almost identical to previous releases of BTCWare. The encryption methods remain the same and the ransom note is still named HELP.hta. The main difference is the contact email, which is now firstname.lastname@example.org.
The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .[email]-id-id.wyvern extension to encrypted file's name. For example, the current version will encrypt a file called test.jpg and rename it to test.jpg.[email@example.com]-id-89085061.wyvern.
You can see an example of an encrypted folder below.
If any new information or methods to decrypt the files becomes available, we will be sure to update this article.
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail firstname.lastname@example.org You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCitOoG+zT+UHs8xu7rCRSzj1XFlhatpoG4/dqLm45JWUMo1Usokd2KAOvZQQWIi6AtAqe2XwG3zsu3Mt97LzU/9t5lf30RuNP3y422gX6XvBATeDSyZObsjcx0TeV+r4WR563EsQp19YMAbr9hOfjwJwfzhZJ4ODbRcHBQyWab+wIDAQAB -----END PUBLIC KEY-----