BtcKing Ransomware
Malware analysts first observed the BtcKing Ransomware, an encryption ransomware Trojan, on June 19, 2018. The BtcKing Ransomware, like most encryption ransomware Trojans being distributed today, seems to be delivered to victims through spam email attachments. These spam email attachments will often take the form of DOCX or PDF files with embedded macro scripts that download and install the BtcKing Ransomware onto the victim's computer. Malware researchers advise computer users to take precautions when dealing with unsolicited email messages, such as disabling macros, to ensure that threats like the BtcKing Ransomware are not used to attack their data.
The BtcKing Ransomware is the New King on the Block
The BtcKing Ransomware uses the AES encryption to make the victim's files inaccessible. Victims of the BtcKing Ransomware attack are asked to contact the criminals using BitMessage to receive the decryption key, which is the only way to restore files affected by the BtcKing Ransomware attack. Infected computer users will identify the enciphered files because the BtcKing Ransomware will add the file extension '.BtcKING' to their names. The BtcKing Ransomware will encipher the files in a way that will make them inaccessible and be shown as blank icons on the Windows Explorer. The BtcKing Ransomware will target the user-generated files in its attack, which may include a large variety of media files, document types, configuration files, databases and many others. The files that threats like the BtcKing Ransomware target in their attacks include:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
Some variants of the BtcKing Ransomware will add an email address as the file extension to the compromised files, which is the string '.jungle@anonymousspechcom.'
The BtcKing Ransomware's Ransom Demands
The BtcKing Ransomware delivers a ransom note in the form of a text file named 'How To Decode Files.txt' to its victims. The following is the text of the BtcKing Ransomware's ransom note:
'ALL DATA ON THIS PC HAS BEEN ENCRYPTED.
To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file to BM-2cTAPjtTkqiW2twtykGm5mtocFAz7g5FZc@bitmessage[.]ch.
In the letter include your personal ID (look at the beginning of this document).
Attach the file with the location c:\Windows\YOUR KEY.KEY
We will give you the decrypted file and say price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Attention!
Only BM-2cTAPjtTkqiW2twtykGm5mtocFAz7g5FZc@bitmessage[.]ch can decrypt your files
Do not trust anyone BM-2cTAPjtTkqiW2twtykGm5mtocFAz7g5FZc@bitmessage[.]ch
Do not attempt to remove the program or run the anti-virus tools. You can loss your data
Attempts to self-decrypting files will result in the loss of your data
Decoders for other IDs are not compatible with your ID data, because each user's unique encryption key
Your ID [random characters]'
The BtcKing Ransomware also stores an encrypted version of the decryption key in a file named 'YOUR KEY.KEY' in the C:\Windows\ directory. Computer users shouldn't agree with the instructions in the BtcKing Ransomware ransom note. The encrypted files and other content associated with the BtcKing Ransomware should be removed, and the files restored from file backups.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.