Ransomware developers are very busy these days, as the number of new malware strains continues to increase exponentially. As one would expect, however, not all types of ransomware are new projects. BTCWare, a rather expensive crypto-ransomware variant, shares a lot of similarities with CrptXXX. That does not make this malware any less dangerous, though.
BTCWare Is The New Kid on the Block
It is becoming more common for cybercriminals to take other ransomware developers’ source code and make slight modifications. This trend will only become more popular as more ransomware-as-a-service offers find their way to darknet marketplaces. BTCWare seems to be largely based on CrptXXX, a type of malware that made quite an impact.
Very little is known about BTCWare so far, as security researchers have yet to finish analyzing the malware sample. However, preliminary research shows this is another CrptXXX variant, with a few more twists and updates under the hood. As one would expect, the encrypted files are renamed to the “.btcware” extension. Restoring file access will require a decryption key, which is unique to every infected computer.
Instructions for BTCWare are very straightforward, which is rather unusual. There is no lengthy text about how the computer got infected or how users should avoid trying to restore files from a backup. In fact, victims are presented with a page explaining them how to pay for the decryption keys and which exchanges to use. Localbitcoins, Paxful, and Coinmama are the three recommended platforms to do so, according to a screenshot provided by MalwareHunterTeam.
There's another ransomware: BTCWare.
Looks like someone already paid…@BleepinComputer @demonslay335 pic.twitter.com/XEMUTdzxLH
— MalwareHunterTeam (@malwrhunterteam) March 24, 2017
Speaking of the ransom, BTCWare victims are expected to pay a 0.5 BTC fee for having their files decrypted. That is quite a steep price, despite bitcoin’s recent value decline. At the current rate, users would pay close to US$490 to restore computer access. Since very little is known about BTCWare, it is unclear whether or not restoring files from a backup is a viable alternative. In most cases, recent ransomware families delete shadow volume copies, making data recovery from a backup impossible.
Moreover, security researchers still have to figure out what type of encryption is used by this malware. Until those details can be revealed, victims should not hope for a free decryption tool either. Then again, paying the 0.5 bitcoin ransom may not result in having files restored either. Criminals have no reason to uphold their end of the bargain once a payment is made. It would not be the first time someone pays the bitcoin ransom and not receive their decryption key in the end. Unfortunately, it appears paying the bitcoin ransom is the only course of action right now.
Rest assured BTCWare is not the last type of ransomware to take a page out of CrptXXX’s book. Several similar types of malware exist already, including AngleWare and Zorro. However, BTCWare is one of the few types of ransomware demanding a high fee to be paid. It is believed spam campaigns and malicious downloads over peer-to-peer networks are the most common distribution channels for BTCWare right now. Rogers Hi-Speed Internet is one of the fake software downloads designed to distribute BTCWare to unsuspecting victims as of right now.
If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.