Home Malware Programs Ransomware BTCWare-PayDay Ransomware

BTCWare-PayDay Ransomware

Posted: October 6, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 102,312
First Seen: March 27, 2017
Last Seen: March 1, 2022
OS(es) Affected: Windows

The BTCWare-PayDay Ransomware is a Trojan that locks your files by using non-consensual encryption to keep them from opening. Once encoded, any pictures, documents, and similar media may be unlocked only with a specialized decryptor that the BTCWare-PayDay Ransomware's threat actor sells for a currently unspecified ransom. PC users should use free recovery options on their data, if possible, while also uninstalling the BTCWare-PayDay Ransomware with an appropriate anti-malware product.

The Old Trojan Family Coming Back for October

One of the most active families of file-locker Trojans of the year is maintaining its record with yet another variant for October's opening week. The BTCWare-PayDay Ransomware, most likely built off of the traditional 'Black Hat' business model of Ransomware-as-a-Service (RaaS), is delivering attacks that it pairs with new ransom messages and extension changes. However, the BTCWare-PayDay Ransomware's family's core model of encoding the victim's content and holding it in a hostage situation for pay is unchanged.

While the BTCWare-PayDay Ransomware's family is notable for using spam emails, including messages with omitted subject or body information to compromise new victims, malware analysts have yet to confirm the BTCWare-PayDay Ransomware's distribution exploits. When it's running in a compatible Windows environment, the BTCWare-PayDay Ransomware modifies the system's boot settings for suppressing error messages, which may hide any installation glitches. It then proceeds with scanning the PC's directories for Word documents, JPG pictures, Adobe PDF files, and similar media to encipher using an AES algorithm.

Most releases of the BTCWare Ransomware follow these data-blocking attacks by inserting a single extension (such as '.onyon') onto the files' names, as well as by creating INF or Web page-based ransom notes. The BTCWare-PayDay Ransomware, instead, adds a string consisting of a new email address for negotiations, two ID fields, and the '.payday' extension. It also creates ransom messages in Notepad's text format, although the only information the instructions give to English readers is to contact the address. Until then, the user's files may be unusable indefinitely.

Keeping New Businessmen from Their Undeserved Paydays

The BTCWare Ransomware group of Trojans that the BTCWare-PayDay Ransomware uses for a basis has had releases of keys to the public that are pertinent to third-party decryption efforts. Malware analysts have been unable to corroborate any compatibility between the BTCWare-PayDay Ransomware and the latest decryption freeware programs directly, but testing them for compatibility is always preferable to paying a ransom to a con artist. Backing up files to other devices or servers is also a highly-recommended procedure for keeping all digital content safe from harm by any threat that shows features similar to the BTCWare-PayDay Ransomware's enciphering attack.

Besides keeping its attacks from showing any clear signals or symptoms until after it inflicts its file damage, the BTCWare-PayDay Ransomware also disguises at least one of its components as being part of Windows: the often-imitated 'svchost.exe.' Users should identify and block this Trojan with automated anti-malware protection preemptively, if possible. Most anti-malware programs can uninstall the BTCWare-PayDay Ransomware safely, although decryption will, inevitably, require additional work on the part of the PC's user. For now, email exposure remains the most probable infection vector for the BTCWare-PayDay Ransomware's campaign.

The BTCWare-PayDay Ransomware has few changes from past variants of its Trojan family, but its use of affiliate ID numbers implies a potential for broader than usual distribution, with the help of multiple threat actors. Anyone with files they consider of more than negligible value also should be taking care to back that content up and protect their PCs with anti-malware technology, which are the two readiest ways of cutting down on the BTCWare-PayDay Ransomware's upcoming plans for profit.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4128 bytes)
MD5: 2075a6619aae0bf45bb9515988faf049
Detection count: 1,115
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: 209ed64326cef0d46b80e755af578827
Detection count: 126
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.15 KB (4150 bytes)
MD5: db5963ccd4c65e93e342781676c53bdb
Detection count: 71
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
file.exe File name: file.exe
Size: 272.89 KB (272896 bytes)
MD5: 2c1a9fff423a7afd1b25d1b4c7c5ae3c
Detection count: 71
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4120 bytes)
MD5: eab4241cc0da39462dd90eb748062068
Detection count: 63
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: e7d0a7d49a89452704def40486f32a32
Detection count: 56
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%LOCALAPPDATA%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4122 bytes)
MD5: acb7e62659588fdbaf9f8e272343ab74
Detection count: 52
Mime Type: unknown/hta
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: 831b9e82c93ea2fe4f53a6272cf506a1
Detection count: 44
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Local\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4122 bytes)
MD5: cab3262ed4e3649509aa5a6058200276
Detection count: 40
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: August 23, 2017
%APPDATA%\111svhost.exe File name: 111svhost.exe
Size: 192.51 KB (192512 bytes)
MD5: d0859aea3795ab294366ca5b5d3ef6cb
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: September 19, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: 0a13b8f171275dc65e883fef727fbf77
Detection count: 35
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: f3c7da1139678cad16b2cd8b24a0be2f
Detection count: 26
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.15 KB (4150 bytes)
MD5: 059d4542b27a3f9b1d769a93c5b29127
Detection count: 19
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.15 KB (4150 bytes)
MD5: 136ea58e7cb4b33598f3038583bfeb8a
Detection count: 19
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: 10eb12c4749d83897bfcc2cb028fcc00
Detection count: 14
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.21 KB (4213 bytes)
MD5: b0d2c6949a5ccb089af6f18c4a3fb8f8
Detection count: 14
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: 94ff7e538acb23d5ac598fbb2a39abf3
Detection count: 12
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Local\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: d8509e93dfa30c8d41f29c123b2e444a
Detection count: 9
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4122 bytes)
MD5: fa42610a9e8106df8b9467bf7195a112
Detection count: 7
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\!#_READ_ME_#!.hta File name: !#_READ_ME_#!.hta
Size: 4.17 KB (4176 bytes)
MD5: a31ddee91c96512da46e2c2f39ebd7cc
Detection count: 5
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: August 23, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

File name without path#_HOW_TO_FIX_!.htaRegexp file mask%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vaqet.exe
Loading...