Ransom BTCWare
Posted on July 25, 2017
Name on Threat: BTCWare
Threat Vector: Email
IOC Hash: Sha256: b6bf6c510c52124355e55d8799d02750d2405136b9cc6c42b5eb00dd0e66e965
Description
BTCWare is a ransomware that first appeared around March 2017. We describe here the latest variant, called BTC.Aleta due to the extension used on the encrypted files.
As one gets infected with this ransomware, they get greeted by this ransom note:
Installation
This ransomware first checks its presence on the system by querying the following mutex name:
- MASTERLOCK
It deletes volume shadows to prevent file recovery by running the following commands using ShellExecute API.
It drops the ransom note in the %APPDATA% folder as:
- Info.hta
Then, it creates an autostart registry entry so that at each reboot, the ransom note will appear.
- HKCUSoftwareMicrosoftWindowsCurrentVersionRun
DECRYPT INFO
Encryption Process
This ransomware is not a typical one that targets specific extension names. It encrypts all files including programs (.exe, .dll). To avoiding messing up the whole operating system, it does not encrypt folders that have the following substrings in their name:
- $recycle.bin
- msocache
- program files
- program files (x86)
- ProgramData
- programdata
- programdata
- windows
- nvidia
- intel
- appdata
- temp
It also encrypts files mounted from network shares. It uses WNetOpenEnumA and WNetEnumResourceA to enumerate network shares.
It uses AES and RSA 1024 encryption.
The way it encrypts the files is, it reads the content of the target file, encrypts it and writes the encrypted data into a different file using the following filename format:
- {filename}.{ext}.[email address].aleta
Example: tool.exe.[decryptyourfileshereee1@cock.li].aleta
Afterwards, it deletes the original file.
Aleta is the latest variant we have seen as of this writing. Previous variants uses the following format:
- .[< email address >].btcware
- .[< email address >].cryptobyte
- .[< email address >].cryptowin
- .[< email address >].theva
- .[< email address >].onyon
- .[< email address >].master
- .onyon
- .xfile
Infection Method
The latest variants of BTCWare (.aleta) are being distributed via “Malspam” with a malicious javascript attachment (Nemucod). The javascript will download this ransomware from links that have “f=1.doc” as a parameter, such as:
- http://whousexpress(dot)bid/admin.php?f=1.doc
- http://thalassaworks(dot)bid/admin.php?f=1.doc
- http://chalconcards(dot)win/admin.php?f=1.doc
- http://loxoconcepts(dot)win/admin.php?f=1.doc
- http://bocoolagodenz(dot)com/admin.php?f=1.doc
- http://dolopolesasz(dot)com/support.php?f=1.doc
- http://asopusforums(dot)date/support.php?f=1.doc
Anti-Sandbox Armoring
The samples we have analyzed are packed. The packer incorporates anti-sandbox by calling useless APIs in a loop to waste time and avoid giving away its true intent.
Other Info
The latest samples we have seen are also signed with this signer
- DEMUS, OOO
The certificates are already revoked.