The Merkle

Bitcoin Ransomware Education: Nuclear BTCWare

It was only a matter of time until we would see a new clone of the BTCWare malware family. As the name suggests, BTCWare is one of the more popular and profound Bitcoin malware types in existence. The latest family member of this strain is called Nuclear and is apparently distributed through Remote Desktop services. Anyone relying on such a tool to connect to computers remotely may want to take this opportunity to update their login credentials. Right now, any weak password is prone to this attack vector, which means a lot of ransomware infection reports are on the horizon.

Nuclear BTCWare is an Annoying Malware

Few things are almost a guaranteed certainty in life. Death, taxes, and Bitcoin-related ransomware make up the top three right now. Especially now, the latter category can be quite problematic for people worldwide. With so many different types of Bitcoin malware to contend with, computer users must do everything they can to keep their digital information safe from harm. Unfortunately, that is often much easier said than done, and common mistakes need to be avoided at all costs.

One of those mistakes is using weak and easy-to-guess passwords for particular services. Beyond just email accounts or social media platforms, it turns out Remote Desktop application credentials are also subject to this issue. Criminals are always looking for ways to exploit these weaknesses and cause a lot of harm in the long run. In this particular case, they exploit Remote Desktop connections set up with weak login credentials.

This method allows cybercriminals to distribute the Nuclear BTCware variant, a new type of ransomware that can be very difficult to get deleted. The payload itself is distributed and installed through the Remote Desktop protocol, which is problematic. Making matters worse is the fact that there is no decryption method for Nuclear BTCWare right now that does not involve paying a Bitcoin fee. While security researchers are looking for ways to resolve this matter, it may take a lot of time until we see a free decryption solution for Nuclear.

Under the hood, Nuclear offers a few small differences from its brethren. The encryption method is the same as with any BTCWare malware type, but the ransom note itself is slightly different. Payment information can be obtained by emailing the criminals using the included email address, but there is no standard Bitcoin fee to pay right now. Given the vast amounts of money ransomware developers can charge for the decryption key, it is unclear how much people will need to cough up to get their files back.  The average price across all ransomware types seems to be around US$500.

Ransomware will remain a very big threat for the foreseeable future. BTCWare is one of the top ransomware families in circulation, and a new variant is discovered virtually every week. This does not bode well for the future victims of malware. It is not the first time criminals have leveraged lackluster security precautions associated with Remote Desktop connections to distribute malicious payloads. User error often allows criminals to take advantage of such tools.

With no free decryption method available and a seemingly unblockable way of distributing Nuclear BTCWare, we may see an increasing amount of ransomware reports in the near future. Servers used by corporations, institutions, and even universities are particularly vulnerable. Strong passwords should always be enforced by default, rather than allowing users to create their own. Remote desktop connectivity is an emerging trend, but rest assured criminals will attempt to leverage any weakness they can find.