Threat Database Ransomware BTCWare-PayDay Ransomware

BTCWare-PayDay Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 10
First Seen: October 8, 2017
Last Seen: December 30, 2019
OS(es) Affected: Windows

The BTCWare-PayDay Ransomware is an encryption ransomware that is used to extort computer users. Like most encryption ransomware Trojans, the BTCWare-PayDay Ransomware is designed to threaten computer users, making their files unreachable and then demanding the payment of a ransom to release the victim's files. To take the victim's files hostage, the BTCWare-PayDay Ransomware uses a strong encryption algorithm to make the files inaccessible and then displays a ransom note demanding that the victim pay a large ransom using Bitcoins in exchange for the decryption key that is necessary to regain access to the infected files. This tactic has been observed by PC security researchers countless times before and is today a common device used to force computer users to make large ransom payments.

It can be a PayDay, but not for You

The BTCWare-PayDay Ransomware was first observed carrying out attacks on October 3, 2017. In the BTCWare-PayDay Ransomware attack, the encrypted files will be marked with a new file extension. The BTCWare-PayDay Ransomware will indicate that it has encrypted a file by adding the string '.[]-id-.payday' to each affected file's name. The BTCWare-PayDay Ransomware belongs to a family of ransomware that is derived from BTCWare, a ransomware Trojan that first appeared in April 2017. There are several variants of the BTCWare-PayDay Ransomware being released since April, most of them using very similar source code and carrying out attacks on victims, which are identical practically. Like other BTCWare variants, the BTCWare-PayDay Ransomware will communicate with its Command and Control servers using TOR for anonymity and has few, if any, identifying features that would differentiate it from other commonly seen ransomware Trojans.

The Consequences of a BTCWare-PayDay Ransomware Attack

The BTCWare-PayDay Ransomware is nearly identical to the Blocking Ransomware and the Wyvern Ransomware, both variants of BTCWare that have also been uncovered in 2017. The BTCWare-PayDay Ransomware, like other encryption ransomware Trojans, will target the user-generated files, typically attacking image files, text files, presentation files, audio, videos, etc. The BTCWare-PayDay Ransomware uses a strong encryption algorithm to make the victim's files inaccessible. Once the BTCWare-PayDay Ransomware has encrypted a file, its contents become inaccessible, and the victims will no longer be able to open the affected file or view its contents. The bulk of the BTCWare-PayDay Ransomware attacks seem to target victims in Western Europe. However, this does not mean that the BTCWare-PayDay Ransomware is geographically limited, and there is nothing stopping the BTCWare-PayDay Ransomware attacks from popping up in other parts of the world. It is likely that new variants of the BTCWare-PayDay Ransomware will appear, using different file extensions to mark the files, as well as different email accounts for victims to contact the attackers.

The BTCWare-PayDay Ransomware’s Ransom Demand

The BTCWare-PayDay Ransomware delivers a ransom note after encrypting the victim's files. This ransom note is named '!! RETURN FILES !!.txt' and is opened by the victim's default text editor. Below is the full text of the BTCWare-PayDay Ransomware ransom note:

'all your files have been encrypted
want return files?
write on email: keyforyou@tuta.io'

The BTCWare-PayDay Ransomware also will delete the Shadow Volume Copies and other recovery methods that could help computer users recover their files as part of its attack. This is why it is paramount to take preventive measures to ensure that the BTCWare-PayDay Ransomware cannot carry out its attack and the restoration of the files can be accomplished easily. Paying the BTCWare-PayDay Ransomware ransom is not a good option. Most of these threats demand a ransom of thousands of dollars, and the people responsible for the attacks seldom will keep their word and help the computer users restore their data after it has been compromised. The best protection against the BTCWare-PayDay Ransomware and similar threats is to have file backups on the cloud or another safe place. File backups give the computer users the choice of resto their files quickly without having to resort to paying the ransom.

SpyHunter Detects & Remove BTCWare-PayDay Ransomware

File System Details

BTCWare-PayDay Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe 1c872d5b70ba7a49d1e743336e6fa18b 0
2. file.exe b89668a8cee73f2d7083eb4c013e131c 0
3. file.exe 43e5e55daf3ec8e032a7386c9a1710a6 0
4. file.exe 1887910c63217bfb9b811a03875bd668 0
5. file.exe e56cb01535e95b0160ea3ce103616356 0

Registry Details

BTCWare-PayDay Ransomware may create the following registry entry or registry entries:
File name without path
!! RETURN FILES !!.txt
Regexp file mask
%APPDATA%\payday.hta

Trending

Most Viewed

Loading...