BTCWare Ransomware
Posted: March 27, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 102,312 |
First Seen: | March 27, 2017 |
---|---|
Last Seen: | March 1, 2022 |
OS(es) Affected: | Windows |
The BTCWare Ransomware is a Trojan capable of locking your files with encryption, an attack that supplements the extortion notes it generates for soliciting money. Since the extortionists don't abide by the terms of such agreements necessarily, any victims should use other ways of retrieving their content, when possible. Most anti-malware products can guard against different variants of this threat by removing the BTCWare Ransomware both before and after it starts locking your local content.
The Many Names of a Program that Wants Your Bitcoins
Large families of file-encrypting Trojans are becoming the expected standard, rather than the exception quickly, as Ransomware-as-a-Service continues taking hold of the underground marketplace for threatening software. One family with months of field experience, but with relatively few variants in distribution, is the BTCWare Ransomware. This Trojan's name derives from the under duress demands for Bitcoins or BTC, a cryptocurrency that lets con artists take payments without risking refunds from their dissatisfied victims.
Some variants of the BTCWare Ransomware are as old as several months, such as the Crptxxx Ransomware, although others, like the Master Ransomware, are relatively new. In either case, the primary differences include the format of choice for the BTCWare Ransomware's extortion-themed messages and what types of contact information the Trojan appends to the filenames of any content it attacks. The attack, an encryption-based enciphering routine, also locks you out of opening data such as documents, spreadsheets or pictures.
Examples of ransoming notes malware analysts can confirm within the BTCWare Ransomware family include HTM (Web page) and INF (text) documents. These messages serve little purpose beyond providing a way for the victim to download TOR (a Web-browsing application with additional anonymity features) and plug into the BTCWare Ransomware's Bitcoin ransom-collecting site. Some variants, such as the Master Ransomware, also may prefer to redirect you to an anonymous instant messaging client for the same purpose.
Potentially, a victim can pay these cryptocurrency fees to receive the decryption key, although malware experts recommend using different recovery options (see below).
Stacking Your Files out of a Bitcoin Thief's Sights
The most efficient way of protecting your content from threats of the BTCWare Ransomware's scope is to keep spare backups not saved on a locally-accessible drive, such as detachable USB device or a password-protected cloud server. When such recovery choices are unavailable, victims also can try third-party decryption software, which various security organizations make available for free. The anti-malware sector recently developed a specialized decryptor application for the BTCWare Ransomware that may help you recover any encrypted media without any data loss.
As of the latest attacks under analysis by malware experts, some of the BTCWare Ransomware infections also correlate with network issues, Remote Desktop (or RDP) exploits. This level of access allows a remote attacker to install Trojans like the BTCWare Ransomware, disable important security features or collect your information easily. Removing the BTCWare Ransomware and other known threats should take priority over data recovery, but you also should change passwords and reset network settings that could be responsible for the breach of your PC's security.
Detecting the BTCWare Ransomware by symptoms like a new '.onyon' or '.master' extension on your files is simple, but also risky. For anyone who can't afford to lose what they're saving, keeping a close eye on their networks and Web-browsing habits can prevent them from seeing these symptoms and their attendant problems at all.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4128 bytes)
MD5: 2075a6619aae0bf45bb9515988faf049
Detection count: 1,115
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 209ed64326cef0d46b80e755af578827
Detection count: 126
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.15 KB (4150 bytes)
MD5: db5963ccd4c65e93e342781676c53bdb
Detection count: 71
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
file.exe
File name: file.exeSize: 272.89 KB (272896 bytes)
MD5: 2c1a9fff423a7afd1b25d1b4c7c5ae3c
Detection count: 71
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4120 bytes)
MD5: eab4241cc0da39462dd90eb748062068
Detection count: 63
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: e7d0a7d49a89452704def40486f32a32
Detection count: 56
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%LOCALAPPDATA%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4122 bytes)
MD5: acb7e62659588fdbaf9f8e272343ab74
Detection count: 52
Mime Type: unknown/hta
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 831b9e82c93ea2fe4f53a6272cf506a1
Detection count: 44
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Local\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4122 bytes)
MD5: cab3262ed4e3649509aa5a6058200276
Detection count: 40
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: August 23, 2017
%APPDATA%\111svhost.exe
File name: 111svhost.exeSize: 192.51 KB (192512 bytes)
MD5: d0859aea3795ab294366ca5b5d3ef6cb
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: September 19, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 0a13b8f171275dc65e883fef727fbf77
Detection count: 35
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: f3c7da1139678cad16b2cd8b24a0be2f
Detection count: 26
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.15 KB (4150 bytes)
MD5: 059d4542b27a3f9b1d769a93c5b29127
Detection count: 19
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.15 KB (4150 bytes)
MD5: 136ea58e7cb4b33598f3038583bfeb8a
Detection count: 19
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 10eb12c4749d83897bfcc2cb028fcc00
Detection count: 14
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.21 KB (4213 bytes)
MD5: b0d2c6949a5ccb089af6f18c4a3fb8f8
Detection count: 14
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 94ff7e538acb23d5ac598fbb2a39abf3
Detection count: 12
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Local\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: d8509e93dfa30c8d41f29c123b2e444a
Detection count: 9
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4122 bytes)
MD5: fa42610a9e8106df8b9467bf7195a112
Detection count: 7
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.17 KB (4176 bytes)
MD5: a31ddee91c96512da46e2c2f39ebd7cc
Detection count: 5
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: August 23, 2017
More files
Registry Modifications
File name without path#_HOW_TO_FIX_!.htaRegexp file mask%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vaqet.exe
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.