A new variant of the BTCWare ransomware was discovered by ID-Ransomware's Michael Gillespie that appends the .[email]-id-[id].wyvern extension to encrypted files. The BTCWare family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop services. Once they are able to gain access to a computer, they will install the ransomware and encrypt the victim's files.
If you find that are infected with this ransomware, do not shutdown your computer as there may be a way to decrypt it. Instead contact Michael Gillespie for instructions.
What's New in the Wyvern Ransomware BTCWare Variant
For the most part, this the Wyvern variant is almost identical to previous releases of BTCWare. The encryption methods remain the same and the ransom note is still named HELP.hta. The main difference is the contact email, which is now decryptorx@cock.li.
The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .[email]-id-id.wyvern extension to encrypted file's name. For example, the current version will encrypt a file called test.jpg and rename it to test.jpg.[decryptorx@cock.li]-id-89085061.wyvern.
You can see an example of an encrypted folder below.
If any new information or methods to decrypt the files becomes available, we will be sure to update this article.
IOCs
File Hashes:
SHA256: c3df259f21b7e204855f0d6cb9a193a5340c44183b1ee6dc9519a01efc9a2236
Filenames associated with the Wyvern Ransomware Variant:
Help.hta
Wyvern BTCWare Ransomware Ransom Note Text:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail decryptorx@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails Associated with the Wyvern Ransomware:
decryptorx@cock.li
Bundled Wyvern RSA Public Key:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCitOoG+zT+UHs8xu7rCRSzj1XFlhatpoG4/dqLm45JWUMo1Usokd2KAOvZQQWIi6AtAqe2XwG3zsu3Mt97LzU/9t5lf30RuNP3y422gX6XvBATeDSyZObsjcx0TeV+r4WR563EsQp19YMAbr9hOfjwJwfzhZJ4ODbRcHBQyWab+wIDAQAB
-----END PUBLIC KEY-----
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now