BTCWare-PayDay Ransomware

Posted: October 6, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	102,315

First Seen:	March 27, 2017
Last Seen:	November 28, 2024
OS(es) Affected:	Windows

The BTCWare-PayDay Ransomware is a Trojan that locks your files by using non-consensual encryption to keep them from opening. Once encoded, any pictures, documents, and similar media may be unlocked only with a specialized decryptor that the BTCWare-PayDay Ransomware's threat actor sells for a currently unspecified ransom. PC users should use free recovery options on their data, if possible, while also uninstalling the BTCWare-PayDay Ransomware with an appropriate anti-malware product.

The Old Trojan Family Coming Back for October

One of the most active families of file-locker Trojans of the year is maintaining its record with yet another variant for October's opening week. The BTCWare-PayDay Ransomware, most likely built off of the traditional 'Black Hat' business model of Ransomware-as-a-Service (RaaS), is delivering attacks that it pairs with new ransom messages and extension changes. However, the BTCWare-PayDay Ransomware's family's core model of encoding the victim's content and holding it in a hostage situation for pay is unchanged.

While the BTCWare-PayDay Ransomware's family is notable for using spam emails, including messages with omitted subject or body information to compromise new victims, malware analysts have yet to confirm the BTCWare-PayDay Ransomware's distribution exploits. When it's running in a compatible Windows environment, the BTCWare-PayDay Ransomware modifies the system's boot settings for suppressing error messages, which may hide any installation glitches. It then proceeds with scanning the PC's directories for Word documents, JPG pictures, Adobe PDF files, and similar media to encipher using an AES algorithm.

Most releases of the BTCWare Ransomware follow these data-blocking attacks by inserting a single extension (such as '.onyon') onto the files' names, as well as by creating INF or Web page-based ransom notes. The BTCWare-PayDay Ransomware, instead, adds a string consisting of a new email address for negotiations, two ID fields, and the '.payday' extension. It also creates ransom messages in Notepad's text format, although the only information the instructions give to English readers is to contact the address. Until then, the user's files may be unusable indefinitely.

Keeping New Businessmen from Their Undeserved Paydays

The BTCWare Ransomware group of Trojans that the BTCWare-PayDay Ransomware uses for a basis has had releases of keys to the public that are pertinent to third-party decryption efforts. Malware analysts have been unable to corroborate any compatibility between the BTCWare-PayDay Ransomware and the latest decryption freeware programs directly, but testing them for compatibility is always preferable to paying a ransom to a con artist. Backing up files to other devices or servers is also a highly-recommended procedure for keeping all digital content safe from harm by any threat that shows features similar to the BTCWare-PayDay Ransomware's enciphering attack.

Besides keeping its attacks from showing any clear signals or symptoms until after it inflicts its file damage, the BTCWare-PayDay Ransomware also disguises at least one of its components as being part of Windows: the often-imitated 'svchost.exe.' Users should identify and block this Trojan with automated anti-malware protection preemptively, if possible. Most anti-malware programs can uninstall the BTCWare-PayDay Ransomware safely, although decryption will, inevitably, require additional work on the part of the PC's user. For now, email exposure remains the most probable infection vector for the BTCWare-PayDay Ransomware's campaign.

The BTCWare-PayDay Ransomware has few changes from past variants of its Trojan family, but its use of affiliate ID numbers implies a potential for broader than usual distribution, with the help of multiple threat actors. Anyone with files they consider of more than negligible value also should be taking care to back that content up and protect their PCs with anti-malware technology, which are the two readiest ways of cutting down on the BTCWare-PayDay Ransomware's upcoming plans for profit.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 311.8 KB (311808 bytes)
MD5: 497c5a51d631d1cd79d5eae21eb2cb92
Detection count: 225
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 26, 2020

%APPDATA%\111svhost.exe

File name: 111svhost.exe
Size: 192.51 KB (192512 bytes)
MD5: d0859aea3795ab294366ca5b5d3ef6cb
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: September 19, 2017

%ALLUSERSPROFILE%\!#_READ_ME_#!.hta

File name: !#_READ_ME_#!.hta
Size: 4.12 KB (4126 bytes)
MD5: 0a13b8f171275dc65e883fef727fbf77
Detection count: 35
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

File name without path#_HOW_TO_FIX_!.htaRegexp file mask%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vaqet.exe