Ransom BTCWare

Posted on July 25, 2017

Name on Threat: BTCWare

Threat Vector: Email

IOC Hash: Sha256: b6bf6c510c52124355e55d8799d02750d2405136b9cc6c42b5eb00dd0e66e965


BTCWare is a ransomware that first appeared around March 2017. We describe here the latest variant, called BTC.Aleta due to the extension used on the encrypted files.

As one gets infected with this ransomware, they get greeted by this ransom note:


Fig. 1. BTCWare ransom note


This ransomware first checks its presence on the system by querying the following mutex name:


It deletes volume shadows to prevent file recovery by running the following commands using ShellExecute API.


It drops the ransom note in the %APPDATA% folder as:

  • Info.hta

Then, it creates an autostart registry entry so that at each reboot, the ransom note will appear.

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun


Encryption Process

This ransomware is not a typical one that targets specific extension names. It encrypts all files including programs (.exe, .dll). To avoiding messing up the whole operating system, it does not encrypt folders that have the following substrings in their name:

  • $recycle.bin
  • msocache
  • program files
  • program files (x86)
  • ProgramData
  • programdata
  • programdata
  • windows
  • nvidia
  • intel
  • appdata
  • temp

It also encrypts files mounted from network shares. It uses WNetOpenEnumA and WNetEnumResourceA to enumerate network shares.

It uses AES and RSA 1024 encryption.

The way it encrypts the files is, it reads the content of the target file, encrypts it and writes the encrypted data into a different file using the following filename format:

  • {filename}.{ext}.[email address].aleta

Example: tool.exe.[decryptyourfileshereee1@cock.li].aleta

Afterwards, it deletes the original file.

Aleta is the latest variant we have seen as of this writing. Previous variants uses the following format:

  • .[< email address >].btcware
  • .[< email address >].cryptobyte
  • .[< email address >].cryptowin
  • .[< email address >].theva
  • .[< email address >].onyon
  • .[< email address >].master
  • .onyon
  • .xfile

Infection Method

The latest variants of BTCWare (.aleta) are being distributed via “Malspam” with a malicious javascript attachment (Nemucod). The javascript will download this ransomware from links that have “f=1.doc” as a parameter, such as:

  • http://whousexpress(dot)bid/admin.php?f=1.doc
  • http://thalassaworks(dot)bid/admin.php?f=1.doc
  • http://chalconcards(dot)win/admin.php?f=1.doc
  • http://loxoconcepts(dot)win/admin.php?f=1.doc
  • http://bocoolagodenz(dot)com/admin.php?f=1.doc
  • http://dolopolesasz(dot)com/support.php?f=1.doc
  • http://asopusforums(dot)date/support.php?f=1.doc

Anti-Sandbox Armoring

The samples we have analyzed are packed. The packer incorporates anti-sandbox by calling useless APIs in a loop to waste time and avoid giving away its true intent.

Other Info

The latest samples we have seen are also signed with this signer


The certificates are already revoked.