.Nuclear BTCW

[elhajoco]

I am assisting a customer that was infected with the .nuclear ransomware.  The files were appended with .[[email protected]]-id-DC145418.nuclear. They submitted a file that was decrypted.  They paid the ransom and were provided a decrypter named btcw.exe. They file ran, however, the decrypter just renamed the files and did not decrypt them.  When the file runs at the beginning it actually says "Your decrypt key is: ..." and lists the decrypt key.  The hackers are still communicating to an extent regarding the issue. However, my question is, can the decrypt key listed in the decrypter program be used in an form or fashion to manually decrypt the files?

[GT500]

It may be BTCWare. I recommend checking with ID Ransomware to be certain:
https://id-ransomware.malwarehunterteam.com/

You can copy and paste the address of the results into a post for me to review as well.

[elhajoco]

It may not be as bad as I thought. Here is the result: https://id-ransomware.malwarehunterteam.com/identify.php?case=8f70302a061f5daf258b38ac6387bd057c7a1060

[mgiammarco]

A customer of mine got the same [email protected] nuclear variant.

I have the server on. What can I do? Can you help me? Btwcware bruteforce failed.

[Fagent]

We have been hit by the same ransomware which has appended [[email protected]]-id-9E099745.nuclear to all of our files and no ransom note was left. I have visited the above link and this was the result

https://id-ransomware.malwarehunterteam.com/identify.php?case=1a9b74e7a11b4e4a8590170e1d865be118526f2d

Is there a way we could decrypt our files?

[GT500]

Note that there's no publicly available decryption tool for this variant of BTCWare. If anyone needs more information, then please send me a private message.