BTCWare Ransomware (.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz@bitmessage.ch]-id-<Random>.wallet) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Unknown

MD5 : 08e0582bb2c17a3d6108eb90ccb0026c

Major Detection Name : a variant of Win32/Kryptik.GATK (ESET), Trojan-Ransom.Win32.Bitcovar.hm (Kaspersky)

Encrypted File Pattern : .[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz@bitmessage.ch]-id-<Random>.wallet

Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\<Random>.tmp.exe
- C:\Users\%UserName%\AppData\Roaming\payday.hta

Payment Instruction File : ! FILES ENCRYPTED.txt / payday.hta

Major Characteristics :
- Offline Encryption
- Aleta / Crptxxx / Gryphon / Master Ransomware series
- Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures)