Bitcoin Ransomware

[Edrick Smith]

So a client machine has that pesky worm that encrypts all your data then demands a ransome. It says to email decrypt@btcbtcbtc.top I'm running a malware bytes scan on it now to remove the ransomware but how do you decrypt the files? 

[Circaflex]

What are the file extensions of the encrypted files? There might be a tool or fingers crossed for shadow copies. 

[Edrick Smith]

.wallet it seems 

[Circaflex]

Luckily, it seems the encryption keys have been found and there is a tool to decrypt .wallet files and retrieve your data.

 

https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/

 

That link will give you the fine details/instructions, here are mine in short form

 

Download this tool: http://files.avast.com/files/decryptor/avast_decryptor_crysis.exe

 

Run it, this will take a while, and hopefully your files are back. There is one point when running the program where there are two check mark boxes, leave both checked when you run the scan.

 

 

Kaspersky also has a tool to decrypt wallet files, http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip I would probably give Kaspersky a shot first, as it is newer, however both should do the job just fine.

[Edrick Smith]

Just now, Circaflex said:

Luckily, it seems the encryption keys have been found and there is a tool to decrypt .wallet files and retrieve your data.

 

https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/

 

That link will give you the fine details/instructions, here are mine in short form

 

Download this tool: http://files.avast.com/files/decryptor/avast_decryptor_crysis.exe

 

Run it, this will take a while, and hopefully your files are back. There is one point when running the program where there are two check mark boxes, leave both checked when you run the scan.

Is it recommended to wipe / reimage the system after or do tools like malware bytes and the decryption software do a good enough job? 

[Circaflex]

Just now, Edrick Smith said:

Is it recommended to wipe / reimage the system after or do tools like malware bytes and the decryption software do a good enough job? 

If it were my machine, or a friends, I would wipe and start over, however if you like a good project and are tech savvy enough to replace system files, you can probably fix it enough with Malwarebytes and some manual repair. Totally up to you, everyone values their time differently.

[Edrick Smith]

The avast tool is coming back with Invalid Password or decryption key. 

 

it says [decrypt@btcbtcbtc.top]-id-BAC_wallet 

[Circaflex]

3 minutes ago, Edrick Smith said:

The avast tool is coming back with Invalid Password or decryption key. 

 

it says [decrypt@btcbtcbtc.top]-id-BAC_wallet 

Give the Kaspersky tool a try, I believe it was a little newer.

 

http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip

[Edrick Smith]

Just now, Circaflex said:

Give the Kaspersky tool a try, I believe it was a little newer.

 

http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip

Unfortunately that one says its an unsupported encryption type. 

[Jim K Global Moderator]

Have you tried this to identify what ransomware variety your client has been infected with ... to see if there is a decrypter for it.

 

https://id-ransomware.malwarehunterteam.com/index.php?lang=en_US

[Edrick Smith]

According to that link via the email method as I've stepped away from the computer right now it says based on that email address. However the extensions it list for the BTCWARE don't match my .wallet

 

BTCWare PayDay

 This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

ransomnote_email: decrypt@btcbtcbtc.top

Click here for more information about BTCWare PayDay

[Jim K Global Moderator]

Just now, Edrick Smith said:

According to that link via the email method as I've stepped away from the computer right now it says based on that email address 

 

BTCWare PayDay

 This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

ransomnote_email: decrypt@btcbtcbtc.top

Click here for more information about BTCWare PayDay

Did you upload a sample encrypted file?  

[Edrick Smith]

1 minute ago, Jim K said:

Did you upload a sample encrypted file?  

Not yet I'm not at the computer currently that was just based on its return with the email address 

[Jim K Global Moderator]

ok, you may have the same thing as this poor gent (new BTCWare variant with .wallet extension) ...

 

https://www.bleepingcomputer.com/forums/t/668054/new-btcwware-variant-with-wallet-extension/

 

Which, if it is a newer variant ... according to Bleeping Computer:

"Unfortunately, newer variants of BTCWare are AES-256 versions of the malware which uses a different RSA-1024 key and are not decryptable unless you pay the ransom and get the private AES key from the criminals. There is no way to bruteforce the key for any of these versions."

 

If the encrypted file sample comes back with the same ransomware variant ... yea ... you may want to take a look at Bleeping Computer.  Obviously, don't pay the ransom but you may have to blow up the hard drive.

 

Edit:  I really wish Microsoft would release some sort of preventative measures for this crud.  Not sure how they can ... but dang if this wouldn't tick me off to no end.  Some are getting installed via brute force of RDP.  /rant off

[Edrick Smith]

I've uploaded a file and the txt instruction file and it confirmed it is as listed above and no method of unlocking. 

[+Warwagon MVC]

3 hours ago, Jim K said:

I really wish Microsoft would release some sort of preventative measures for this crud.  Not sure how they can ... but dang if this wouldn't tick me off to no end.  Some are getting installed via brute force of RDP.  /rant off

 

Who puts RDP Internet facing? VPN + RDP is the only way I roll.

[Jim K Global Moderator]

50 minutes ago, Edrick Smith said:

I've uploaded a file and the txt instruction file and it confirmed it is as listed above and no method of unlocking. 

I don't want to say you're SOL ... but I think you're kinda SOL.  If there isn't a decrypter ... then the only thing you can do is hold out and hope one becomes available or blast the drive (when in doubt ... C4 ...though it might be overkill).  

 

Someone might have a better opinion ... or you could pose the question at Bleeping and see what they say.  But no decrypter=no files.

[Edrick Smith]

Unfortunately it looks like the drive is going to have to be nuked. But I think it'll have to go back to the vendor as it's a Windows 7 Embedded platform. It also screwed the recovery partition. 

[goretsky Supervisor]

Hello,

 

Contact the anti-malware company whose software is on the client's box, and explain the situation to them.  They should tell you what artefacts (forensic info like logs, samples of encrypted files,  copy of ransomware note, wallpaper, etc.) that they need in order to tell you whether or not the system can currently be decrypted.  Even if the answer is "no" right now, it may be possible some event in the future allows for decryption in the future.  I'd also suggest removing the drive and putting a new one in, as that leaves the old drive with its encrypted files intact if needed in the for insurance and legal purposes.

 

Regards,

 

Aryeh Goretsky

[Mando]

On 1/30/2018 at 4:36 AM, warwagon said:

Who puts RDP Internet facing? VPN + RDP is the only way I roll.

plenty of people sadly  

 

 

[Edrick Smith]

The data isn't persay worth the effort. It's a card access controller with under 100 users so we'll just have to rebuild the card database 

[Edrick Smith]

So I've found on a protected area the .vhd files that were created by the manufacturer of the unit that represent each partition. How can I go about restoring those?