Test subject – BTCWare ransomware, “shadow” extension
The BTCWare family is a very active player in the ransomware world. Almost every month new variants are discovered, and although older versions are now possible to decrypt, the newly released variants use strong encryption algorithms to corrupt files and are impossible to recover. This particular variant is being spread by hacking into systems with Remote Desktop Services enabled, poorly protected by low complexity passwords and security policies. Older versions used this technique as well, so be sure to secure your internet-facing services, especially RDP. Once executed, the ransomware appends the .[email]-id-[id].shadow extension to encrypted file’s name. It compromises the shadow copies as well, so the information cannot be retrieved by running disk level file recovery tools. Currently, there are no decryption tools available for this variant.
BTCWare ransomware test facts
Once executed, the ransomware immediately attacks local files as well as accessible mapped and unmapped network drives. In our test, the malware managed to encrypt several tens of files within seconds.
BTCWare ransomware test results
TEMASOFT Ranstop detects this BTCWare variant soon after it starts encrypting files. Upon detection, alerts are fired off, actions are executed as configured (i.e. isolate machine) and, at the same time, the malicious process is stopped and quarantined. All the encrypted files are automatically recovered to their original state, including the file name. Such an attack causes zero downtime to machines protected by TEMASOFT Ranstop.
Click here to watch TEMASOFT Ranstop in action (video)!
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.