A new variant of the BTCWare ransomware was discovered by ID-Ransomware's Michael Gillespie that appends the .[email]-id-[id].wyvern extension to encrypted files. The BTCWare family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop services. Once they are able to gain access to a computer, they will install the ransomware and encrypt the victim's files.

If you find that are infected with this ransomware, do not shutdown your computer as there may be a way to decrypt it. Instead contact Michael Gillespie for instructions.

What's New in the Wyvern Ransomware BTCWare Variant

For the most part, this the Wyvern variant is almost identical to previous releases of BTCWare. The encryption methods remain the same and the ransom note is still named HELP.hta. The main difference is the contact email, which is now decryptorx@cock.li. 

Wyvern Ransomware Ransom Note
Wyvern Ransomware (BTCWare) Ransom Note

The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .[email]-id-id.wyvern extension to encrypted file's name. For example, the current version will encrypt a file called test.jpg and rename it to test.jpg.[decryptorx@cock.li]-id-89085061.wyvern.

You can see an example of an encrypted folder below.

Folder of Encrypted wyvern Files
Folder of Encrypted Wyvern Files

If any new information or methods to decrypt the files becomes available, we will be sure to update this article.

Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens


File Hashes:

SHA256: c3df259f21b7e204855f0d6cb9a193a5340c44183b1ee6dc9519a01efc9a2236

Filenames associated with the Wyvern Ransomware Variant:


Wyvern BTCWare Ransomware Ransom Note Text:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail decryptorx@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) 
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
Also you can find other places to buy Bitcoins and beginners guide here: 
Do not rename encrypted files. 
Do not try to decrypt your data using third party software, it may cause permanent data loss. 
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. 

Emails Associated with the Wyvern Ransomware:


Bundled Wyvern RSA Public Key:

-----END PUBLIC KEY-----