BitCryptor Ransomware

Posted: May 14, 2015

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	19

First Seen:	May 14, 2015
Last Seen:	August 17, 2022
OS(es) Affected:	Windows

BitCryptor Ransomware, also referred to as Bit Cryptor, is an updated variant of CoinVault, a file encryption Trojan. Although the BitCryptor Ransomware takes care to avoid damaging OS files, the BitCryptor Ransomware will encrypt and render unusable most non-essential files of popular formats. Like other Trojans of its ilk, the BitCryptor Ransomware uses its attacks as an initial step in demanding a ransom fee via Bitcoin. For their part, malware experts recommend alternative solutions, such as blocking or removing the BitCryptor Ransomware with anti-malware tools, as cheaper and more reliable than submitting to its ransom attempt.

The Consequences of Your Files getting Bit by the BitCryptor Ransomware

2014 saw the introduction of numerous variants of file encryptors, which differed from each other minimally in terms of their practical effects. However, their ill-intended dev teams continue to race ahead with the production of new offshoots, such as the BitCryptor Ransomware, which bases itself on last year's CoinVault Trojan. For its third parties, the benefits of the BitCryptor Ransomware are self-evident, with previous decryption tools available to the public no longer effective at reversing its file encrypting attacks.

In what is rapidly becoming the new norm for ransomware, the BitCryptor Ransomware deletes the backup data stored in the Windows Shadow Copy, which prevents any victims from rolling back its attacks. After taking that step, the BitCryptor Ransomware modifies your wallpaper to display its ransom message and proceeds with encrypting your files. The BitCryptor Ransomware avoids targeting files that meet the following criteria:

The BitCryptor Ransomware targets files only of specific formats, including (but not limited to) DOC, ODT, MP3, TXT, GIF, JPEG, and C4D. File types not included in its list are not encrypted.
The BitCryptor Ransomware avoids files directly related to running most programs, such as those stored in Appdata, Program Files, Windows or Winnt.
The BitCryptor Ransomware also eschews temporary files from the Temp folder, user settings files in All Users, the contents of the Recycle Bin and downloaded files stored in Downloads.

However, any files that do meet its criteria for selection will be encrypted by the BitCryptor Ransomware, using an AES standard that is impractical to break via manual, brute-force techniques. Any victims are intended to pay the BitCryptor Ransomware's Bitcoin fee to restore their files to normal, although, as in most cases, malware researchers find zero guarantees of this solution working. The BitCryptor Ransomware does provide a 'sample' file restoration feature, which may be used to restore a single file at no charge.

Shrugging Off a File Encryptor's File Hostages

Despite its newness to the threat scene, the BitCryptor Ransomware already is being countered by new developments from the anti-malware industry, with appropriate tools able to block its attacks and remove this threat. However, even for PC users who store their files in safe locations, such as USB devices, malware researchers warn that the BitCryptor Ransomware could be a security hazard. The BitCryptor Ransomware does monitor the infected PC's memory while active, and may terminate traditional security tools automatically, including, most significantly, default Windows applications like the Registry Editor and Task Manager.

Due to the difficulty of reversing file encryption-based attacks, it is typically simpler to use file backup strategies to avoid them entirely. The BitCryptor Ransomware's appearance in the threat industry also shows the importance of updating your anti-malware products whenever possible, and outdated security programs may be facing additional difficulties in identifying or deleting the BitCryptor Ransomware accurately.

[template:additional

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%APPDATA%\Microsoft\Windows\bclock.exe

File name: bclock.exe
Size: 847.87 KB (847872 bytes)
MD5: 289b43d3c234585285a38b2a0f4db2e3
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\Windows
Group: Malware file
Last Updated: August 17, 2022

%Temp%\BitCryptorFileList.txt

File name: %Temp%\BitCryptorFileList.txt
Mime Type: unknown/txt
Group: Malware file

%Temp%\wallpaper.jpg

File name: %Temp%\wallpaper.jpg
Mime Type: unknown/jpg
Group: Malware file

%UserProfile%\filelist.locklst

File name: %UserProfile%\filelist.locklst
Mime Type: unknown/locklst
Group: Malware file

%UserProfile%\sfile

File name: %UserProfile%\sfile
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BitC "%UserProfile%\bclock.exe"HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunOnce\*BitC "%UserProfile%\bclock.exe"HKEY_CURRENT_USER \Control Panel\Desktop\Wallpaper "%Temp%\wallpaper.jpg"