Recommended Posts

Good afternoon. We are located in Kazakhstan, Aktobe. In our organization there was an encryption of files 06/06/2017. This computer was granted access to RDP. Through this protocol, encryption was carried out. The files have the extension of the form [[email protected]] .blocking. The requirements of extortionists and several files I attach. If necessary, I can provide any files and reports. Ransomware is BTCWare. If payment is required, write how much. Thank you in advance.

 

These two decrypters do not fit, the wrong type of encrypted file

https://decrypter.emsisoft.com/amnesia2
https://download.bleepingcomputer.com/demonslay335/BTCWareDecrypter.zip

 

attached avacrypt.rar - password Qwer123$ - exe file of ransomware

!#_RESTORE_FILES_#!.inf - Demands of extortionists

"Files" folder - Original and encrypted files

 

all archive password - Qwer123$

 

https://sabercathost.com/4V5o/ransomware.rar

ransomware.rar

Share this post


Link to post
Share on other sites

The .blocking variant of BTCWare is not decryptable. I'm afraid they moved onto a fully secure key generator with this version, and it will no longer be able to be broken. You can only restore from backups or pay the ransom. Secure your RDP - use strong passwords, block it from WAN, and use VPN.

 

BTW, Amnesia has nothing to do with BTCWare. Two completely separate ransomware families.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thank you for what you are doing. We sent the files to the drweb lab, but they are also powerless at the moment. Also the problem is considered on the virusinfo.info. If there will be any news I will necessarily write in the topic that I created in the thread about BTCware. Although this is a very small chance. Thank you.

  • Upvote 1

Share this post


Link to post
Share on other sites

The only chance of free decryption will be if they release the private RSA-1024 key to decrypt your AES key. The attacks we used to bruteforce the key or derive a keystream are no longer applicable since they changed the keygen to be secure, and switched back to using AES (plaintext attack no longer works).

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.