BTCWare Ransomware

The BTCWare Ransomware is a Trojan capable of locking your files with encryption, an attack that supplements the extortion notes it generates for soliciting money. Since the extortionists don't abide by the terms of such agreements necessarily, any victims should use other ways of retrieving their content, when possible. Most anti-malware products can guard against different variants of this threat by removing the BTCWare Ransomware both before and after it starts locking your local content.

The Many Names of a Program that Wants Your Bitcoins

Large families of file-encrypting Trojans are becoming the expected standard, rather than the exception quickly, as Ransomware-as-a-Service continues taking hold of the underground marketplace for threatening software. One family with months of field experience, but with relatively few variants in distribution, is the BTCWare Ransomware. This Trojan's name derives from the under duress demands for Bitcoins or BTC, a cryptocurrency that lets con artists take payments without risking refunds from their dissatisfied victims.

Some variants of the BTCWare Ransomware are as old as several months, such as the Crptxxx Ransomware, although others, like the Master Ransomware, are relatively new. In either case, the primary differences include the format of choice for the BTCWare Ransomware's extortion-themed messages and what types of contact information the Trojan appends to the filenames of any content it attacks. The attack, an encryption-based enciphering routine, also locks you out of opening data such as documents, spreadsheets or pictures.

Examples of ransoming notes malware analysts can confirm within the BTCWare Ransomware family include HTM (Web page) and INF (text) documents. These messages serve little purpose beyond providing a way for the victim to download TOR (a Web-browsing application with additional anonymity features) and plug into the BTCWare Ransomware's Bitcoin ransom-collecting site. Some variants, such as the Master Ransomware, also may prefer to redirect you to an anonymous instant messaging client for the same purpose.

Potentially, a victim can pay these cryptocurrency fees to receive the decryption key, although malware experts recommend using different recovery options (see below).

Stacking Your Files out of a Bitcoin Thief's Sights

The most efficient way of protecting your content from threats of the BTCWare Ransomware's scope is to keep spare backups not saved on a locally-accessible drive, such as detachable USB device or a password-protected cloud server. When such recovery choices are unavailable, victims also can try third-party decryption software, which various security organizations make available for free. The anti-malware sector recently developed a specialized decryptor application for the BTCWare Ransomware that may help you recover any encrypted media without any data loss.

As of the latest attacks under analysis by malware experts, some of the BTCWare Ransomware infections also correlate with network issues, Remote Desktop (or RDP) exploits. This level of access allows a remote attacker to install Trojans like the BTCWare Ransomware, disable important security features or collect your information easily. Removing the BTCWare Ransomware and other known threats should take priority over data recovery, but you also should change passwords and reset network settings that could be responsible for the breach of your PC's security.

Detecting the BTCWare Ransomware by symptoms like a new '.onyon' or '.master' extension on your files is simple, but also risky. For anyone who can't afford to lose what they're saving, keeping a close eye on their networks and Web-browsing habits can prevent them from seeing these symptoms and their attendant problems at all.

Technical Details