Follow

06/19/17: Malware - BTCWare Ransomware | Security Bulletin

In This Article

Threat Summary

Overview

BTCWare is a standard ransomware malware. It encrypts data on the victim machine and demands payment for return of the encrypted data.

Exploitation

Stages

  1. The victim or malicious user requests the ransomware from the malicious webserver.
  2. The software is delivered to the compromised host.
  3. The ransomware is manually detonated on the compromised host.

Prerequisites

No prior authentication is needed to create a successful exploit

Vulnerability Description

BTCWare is ransomware that is used to take a victim’s files hostage and then demand payment in exchange for a code that returns access of the seized files back to the victim. The BTCWare Ransomware is just one of many ransomware attacks that is being used to extort money from victims.

Back to top

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

Detection of this threat is provided via the Alert Logic ActiveWatch™ for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.

Back to top

Recommendations for Mitigation

To confirm a BTCWare infection, a user may observe multiple files with the extension of “.onyon”, “.btcware”, “.blocking”, “.xfile”, “.master”, “.theva”, “.cryptobyte”, or “.cryptowin” on the file system. The extension depends on the version of the ransomware. BTCWare also creates a ransom note HTM file (‘#_HOW_TO_FIX_!.hta.htm”), “!#_RESTORE_FILES_#!.inf” or “!#_DECRYPT_#!” and places it on the desktop. This note is also dependent of the variant that performed the infection.

BTCWare is ransomware that is used to take a victim’s files hostage and then demand payment in exchange for a code that returns access to the seized files back to the victim. Performing the payment only encourages more of this type of activity. The best method to remediate this issue is to reformat and reinstall the host from the last known good backup. In addition, a tool is available that may decrypt files infected by one of more the BTC ransomware varients. This tool is located here: http://malwarewarrior.com/remove-btc-ransomware-decrypt-btc-files/#decrypt

 Back to top

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.