BTC ransomware was distributed using traditional methods embedding the malicious file in the body of the email or sending them directly as an attachment.
It doesn’t use any well-known vulnerabilities to replicate as like we saw with WannaCry and EternalRocks.
This ransomware was distributed through well know file extensions like (.doc,.jpg,.jpeg,.mp4,.PSD,.pfx,.pdf) and so on. Once it infected it will rename the file in following format FileName.Extension.[Email].Ext2.
Once entered into the system it will generate a random password(unique per machine) and with the password, an encryption key will be generated.
It will then encrypted with a public key(hardcoded in the binary) and dispense a user ID in ransom files.
The encrypted symmetric key is kept as a base64-encoded string %USERPROFILE%\Desktop\key.dat.The ransomware uses MS CryptoAPI for encrypting files.Once the encryption process completed it will set a wallpaper on your desktop like this.
BTC Decryptor tool from Avast
Security Expert Ladislav Zezula from Avast comes up with the decryptor tool for BTC ransomware. Click here to Download BTC Decrypter.
You can use it to decrypt files from Local drives, Network drives, and Folders, we also need to upload original along with the decrypted file, both of them should match.
On could sixteenth, 2017, the master private key was revealed by BleepingComputer. But the master key was not used in the Decrypter tool.
Instead, they used brute force Methods to retrieve the passwords that used by ransomware to Encrypt the files.