Threat Database Ransomware BTCamant Ransomware

BTCamant Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 11
First Seen: January 4, 2017
Last Seen: August 27, 2020
OS(es) Affected: Windows

The BTCamant Ransomware is an encryption Trojan that was discovered in the first week of January 2016. An executable that belongs to the BTCamant Ransomware was submitted to the Google's VirusTotal platform and allowed security researchers to look into the development of the BTCamant Ransomware. At the time of writing this, the BTCamant Ransomware is still in development and features a rudimentary control panel that is accessible through CMD only. The version submitted to VT works as a batch file that can be run with a command via CMD.exe on Windows. Some researchers suspect that the engine of the BTCamant Ransomware is developed as a compact batch script and was submitted to VT so that its author can check if it is detected by anti-virus software.

Released Versions of the BTCamant Ransomware

The initial release used the icon file of the Browser Google Chrome when it was loaded in the memory. That suggests that the distribution campaign for the BTCamant Ransomware may involve fake updates for commonly used Internet clients like Google Chrome, Mozilla Firefox, Opera and Internet Explorer. However, the BTCamant Ransomware can be repacked and arrive on systems as a JavaScript-enabled archive file easily. The practice is not new, and we have seen ransomware such as Alcatraz and Hackerman masked as archives. The sample of the BTCamant Ransomware was submitted to the Korean version of VirusTotal and researchers suspect that the Trojan may be tailored to suit systems in the Southeast Asia region. Threats like the EnkripsiPC Ransomware, the Trochilus RAT, the Korean Ransomware and the Mahasaraswati Ransomware made headlines on local and global news outlets in 2016.

Is the BTCamant Ransomware a Credible Threat?

The BTCamant Ransomware is equipped with a custom AES-128 cipher and can lock every object outside the system folders. This means the BTCamant Ransomware can be applied to server machines and inflict severe damages to online shopping platforms, forums and sites that receive heavy Internet traffic. Enciphered files feature the '.BTC' suffix placed after the original data type. For example, 'Limestone-Mediterranean_sea.db' is transcoded to 'Limestone-Mediterranean_sea.db.BTC'. The '.BTC' suffix may be used as a reference to the Bitcoin digital currency, which is favored among crypto-threat operators. The ransom request comes in two forms 'BTC_DECRYPT_FILES.txt' and 'BTC_DECRYPT_FILES.html'. The 'support staff' for users affected by the BTCamant Ransomware may offer a decryptor if you pay from 0.5 BTC to 2 BTC depending on the volume of data that was enciphered. The message inside 'BTC_DECRYPT_FILES.txt' reads:

'Hello!
For getting back Your PC data You need to contact with us through email as soon as possible: sepas@protonmai1.com , sepast@protonmai1.com'

What the Managers of the BTCamant Ransomware are After

Cybersecurity consultants do not recommend paying the ransom because the operators of campaigns based on encryption Trojans rarely bother to send a decryptor. The aim of ransomware managers is to release waves of spam emails loaded with threats like the BTCamant Ransomware, wait for users to get infected and offer a solution. When you deliver payment in Bitcoins, the payment cannot be refunded and traced to the owner of the wallet address. It is best to use backups to recover from an attack with the BTCamant Ransomware and use a trustworthy anti-malware instrument to remove the BTCamant Ransomware Trojan. AV vendors are known to tag executables related to BTCamant Ransomware as:

  • FileCryptor.NKU
  • Gen:Variant.Strictor.119198
  • Ransom.Cerber
  • Ransom:Win32/Genasom!rfn
  • Ransom_Genasom.R011C0DLN16
  • TR/Crypt.Xpack.hfvft
  • Trojan/Win32.Yakes

SpyHunter Detects & Remove BTCamant Ransomware

File System Details

BTCamant Ransomware may create the following file(s):
# File Name MD5 Detections
1. ASUSWebStorageSyncAgent2.3.0.595.exe.bin 7e6a7e83bf84d081f4fd8a2c0cb1e32f 3
2. app.exe d864d3bf4371dc43bdb5b8c7e24ebd4b 3
3. Asus Webstorage Upate.exe 03909af5cf762d31545f622f4f12dc5a 2

Trending

Most Viewed

Loading...