Remove Btcware Ransomware Virus

How to Remove Btcware Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

    If you want to restore files, use this instructions:
    1. Run website hxxps://dokg5gcojuswihof.onion.to
    2. In login panel enter your personal ID: –
    3. Follow next instruction on website

    Warning! Do not try to decrypt data using third party software, it may cause permanent data loss.


Btcware
is the name of the newest member of the ransomware family. The program is an updated version of the CrptXXX threat. It follows standard programming. The tool finds a way to sneak into your system undetected. Once in, it strikes. Btcware encrypts every single file, you keep on your computer. Pictures, music, documents, videos. Nothing escapes it. Btcware locks your data via a special encryption algorithm. After it’s done, you find your files renamed and no longer accessible. Yes, the ransomware adds a particular extension at the end of each file. For example, a photo called ‘mine.jpg’ becomes ‘mine.jpc.btcware.’ You can try to change the name, move the file, nothing works. Every one of yoyr files is beyond your reach. And, if you wish to regain control, you have to pay for it. Btcware explains it all in the ransom note, it leaves. You find an HTM file on your Desktop that contains clarification and instructions. The “#_HOW_TO_FIX_!.hta.htm”file is pretty straightforward. In a nutshell, pay a ransom that leads to the release of your files. Or, don’t, and lose them. You’re supposed to visit a Tor website, and pay 0.5 Bitcoin to the data kidnappers. At the time we wrote this article, 1 Bitcoin amounts to about $600. The program promises that after payment, they send you a decryption key. Apply it, and your files are free. It seems a rather straightforward exchange. But, here’s the bottom line. You have zero guarantees that’s how it goes down. Can you trust cyber criminals to keep their end of the bargain? These are not trustworthy individuals. The odds are stacked against you. And, chances are, you WILL get double-crossed. So, even if the requested ransom was the size of a single dime, experts still advise against payment. Do NOT pay these people. It’s a tough decision to make, but discard your data. Don’t pay the ransom.

How did I get infected with?

Btcware doesn’t pop up out of thin air one day. No, like most cyber threats, the tool has to get invited in. You have to approve its installment. It asks for your consent. And, goes through with the process only after receiving it. So, you gave it the green light of admission. You may not remember it, but you did. And, it’s not surprising that you don’t. Ransomware tools are sneaky. They have to be. Think about it. If they outright sought your permission, you can deny them. And, they don’t take that chance. Instead, they still follow the rules, and seek consent. But they do it in a less-than-obvious way. They turn to the most covert methods of invasion there are. Freeware, spam email attachments, fake updates, corrupted links. Btcware has also gotten caught, using the Rogers Hi-Speed Internet application as a way in. Do you know how you can keep such a tool out of your PC? Or, at the very least improve your chances significantly? Caution. Infections prey on carelessness. They rely on it. So, does Btcware. It hopes you give into gullibility and distraction. That you rush. That you not bother doing your due diligence. Why would you humor a nasty cyber plague like Btcware? Don’t be careless, but instead be extra thorough. Vigilance helps you keep an infection-free PC. Carelessness goes the opposite direction.

remove Btcware

Why is Btcware dangerous?

Btcware claims that if you follow its demands, all ends well. You get the key to decrypt your files, and get your data back. Well, it’s not as simple as the cyber extortionists make it seem. There are so many ways the exchange can go wrong. Here’s why compliance is the wrong choice. Say, you transfer the requested sum. Then, what? You wait for the promised decryption key. But what if you don’t get it? Yes, the people behind Btcware can choose not to send you one. Or, they can send you one. But, then when you apply it, you find that it’s the wrong one. And, even if they give you the one you need, what then? The key removes the encryption, not the infection. The Btcware program remains on your PC, ready to put you through that experience again. And, who’s to say it won’t do that 10 minutes after decryption? It can be an hour, a day, or a week. You are not safe. Not to mention, if you pay the ransom, your privacy is no longer private. By paying the money, you expose your personal and financial information. The cyber criminals behind Btcware then have access to it, to use as they see fit. Don’t let strangers with agendas have access to your private details. It’s not an easy decision to make, but you have to make it. Choose your privacy over your data. Files are replaceable. Privacy is not.

Btcware Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Btcware Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Btcware encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Btcware encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment