BTCWare-PayDay Ransomware
Posted: October 6, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 102,312 |
| First Seen: | March 27, 2017 |
|---|---|
| Last Seen: | March 1, 2022 |
| OS(es) Affected: | Windows |
The BTCWare-PayDay Ransomware is a Trojan that locks your files by using non-consensual encryption to keep them from opening. Once encoded, any pictures, documents, and similar media may be unlocked only with a specialized decryptor that the BTCWare-PayDay Ransomware's threat actor sells for a currently unspecified ransom. PC users should use free recovery options on their data, if possible, while also uninstalling the BTCWare-PayDay Ransomware with an appropriate anti-malware product.
The Old Trojan Family Coming Back for October
One of the most active families of file-locker Trojans of the year is maintaining its record with yet another variant for October's opening week. The BTCWare-PayDay Ransomware, most likely built off of the traditional 'Black Hat' business model of Ransomware-as-a-Service (RaaS), is delivering attacks that it pairs with new ransom messages and extension changes. However, the BTCWare-PayDay Ransomware's family's core model of encoding the victim's content and holding it in a hostage situation for pay is unchanged.
While the BTCWare-PayDay Ransomware's family is notable for using spam emails, including messages with omitted subject or body information to compromise new victims, malware analysts have yet to confirm the BTCWare-PayDay Ransomware's distribution exploits. When it's running in a compatible Windows environment, the BTCWare-PayDay Ransomware modifies the system's boot settings for suppressing error messages, which may hide any installation glitches. It then proceeds with scanning the PC's directories for Word documents, JPG pictures, Adobe PDF files, and similar media to encipher using an AES algorithm.
Most releases of the BTCWare Ransomware follow these data-blocking attacks by inserting a single extension (such as '.onyon') onto the files' names, as well as by creating INF or Web page-based ransom notes. The BTCWare-PayDay Ransomware, instead, adds a string consisting of a new email address for negotiations, two ID fields, and the '.payday' extension. It also creates ransom messages in Notepad's text format, although the only information the instructions give to English readers is to contact the address. Until then, the user's files may be unusable indefinitely.
Keeping New Businessmen from Their Undeserved Paydays
The BTCWare Ransomware group of Trojans that the BTCWare-PayDay Ransomware uses for a basis has had releases of keys to the public that are pertinent to third-party decryption efforts. Malware analysts have been unable to corroborate any compatibility between the BTCWare-PayDay Ransomware and the latest decryption freeware programs directly, but testing them for compatibility is always preferable to paying a ransom to a con artist. Backing up files to other devices or servers is also a highly-recommended procedure for keeping all digital content safe from harm by any threat that shows features similar to the BTCWare-PayDay Ransomware's enciphering attack.
Besides keeping its attacks from showing any clear signals or symptoms until after it inflicts its file damage, the BTCWare-PayDay Ransomware also disguises at least one of its components as being part of Windows: the often-imitated 'svchost.exe.' Users should identify and block this Trojan with automated anti-malware protection preemptively, if possible. Most anti-malware programs can uninstall the BTCWare-PayDay Ransomware safely, although decryption will, inevitably, require additional work on the part of the PC's user. For now, email exposure remains the most probable infection vector for the BTCWare-PayDay Ransomware's campaign.
The BTCWare-PayDay Ransomware has few changes from past variants of its Trojan family, but its use of affiliate ID numbers implies a potential for broader than usual distribution, with the help of multiple threat actors. Anyone with files they consider of more than negligible value also should be taking care to back that content up and protect their PCs with anti-malware technology, which are the two readiest ways of cutting down on the BTCWare-PayDay Ransomware's upcoming plans for profit.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4128 bytes)
MD5: 2075a6619aae0bf45bb9515988faf049
Detection count: 1,115
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 209ed64326cef0d46b80e755af578827
Detection count: 126
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.15 KB (4150 bytes)
MD5: db5963ccd4c65e93e342781676c53bdb
Detection count: 71
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
file.exe
File name: file.exeSize: 272.89 KB (272896 bytes)
MD5: 2c1a9fff423a7afd1b25d1b4c7c5ae3c
Detection count: 71
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4120 bytes)
MD5: eab4241cc0da39462dd90eb748062068
Detection count: 63
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: e7d0a7d49a89452704def40486f32a32
Detection count: 56
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%LOCALAPPDATA%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4122 bytes)
MD5: acb7e62659588fdbaf9f8e272343ab74
Detection count: 52
Mime Type: unknown/hta
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 831b9e82c93ea2fe4f53a6272cf506a1
Detection count: 44
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Local\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4122 bytes)
MD5: cab3262ed4e3649509aa5a6058200276
Detection count: 40
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: August 23, 2017
%APPDATA%\111svhost.exe
File name: 111svhost.exeSize: 192.51 KB (192512 bytes)
MD5: d0859aea3795ab294366ca5b5d3ef6cb
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: September 19, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 0a13b8f171275dc65e883fef727fbf77
Detection count: 35
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: f3c7da1139678cad16b2cd8b24a0be2f
Detection count: 26
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.15 KB (4150 bytes)
MD5: 059d4542b27a3f9b1d769a93c5b29127
Detection count: 19
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.15 KB (4150 bytes)
MD5: 136ea58e7cb4b33598f3038583bfeb8a
Detection count: 19
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 10eb12c4749d83897bfcc2cb028fcc00
Detection count: 14
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.21 KB (4213 bytes)
MD5: b0d2c6949a5ccb089af6f18c4a3fb8f8
Detection count: 14
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: 94ff7e538acb23d5ac598fbb2a39abf3
Detection count: 12
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Local\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4126 bytes)
MD5: d8509e93dfa30c8d41f29c123b2e444a
Detection count: 9
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: August 23, 2017
%ALLUSERSPROFILE%\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.12 KB (4122 bytes)
MD5: fa42610a9e8106df8b9467bf7195a112
Detection count: 7
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\!#_READ_ME_#!.hta
File name: !#_READ_ME_#!.htaSize: 4.17 KB (4176 bytes)
MD5: a31ddee91c96512da46e2c2f39ebd7cc
Detection count: 5
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: August 23, 2017
More files
Registry Modifications
File name without path#_HOW_TO_FIX_!.htaRegexp file mask%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vaqet.exe
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.