Barkly vs Malware
The Barkly Team
Oct 2017

Barkly vs. New BTCWare Variants

Ransom screen for Wyvern variant of BTCWare ransomware. Source: Bleeping Computer

New Gryphon, Wyvern variants of BTCWare are taking flight and encrypting victim files — the good news is Barkly blocks them.

We’ve been seeing multiple new strains of BTCWare including Wyvern, Nuclear and Gryphon. The BTCWare family of ransomware first inflicted damage back in March when it was going by the name CrptXXX. Whatever the name, this family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop Protocol (RDP). Once they gain access to a computer, cyber criminals install the ransomware and encrypt the victim’s files.

Credited with around 10 infections per day, BTCWare boasts similar stats as Locky. These latest variants leverage the same tried and true encryption method as previous BTCWare variants, but unfortunately for victims, at this time there is no way to decrypt files for free. Fortunately, Barkly is able to block BTCWare automatically, before it can do any damage (see it in action vs. BTCWare in the video below, and learn how Barkly's protection works here).

BTCWare overview

  • First appeared in March 2017 under the name CrptXXX.
  • Credited with around 10 infections per day, making it similarly successful as Locky
  • A master decryption key for the BTCWare ransomware was released in May 2017. However, this does not work on the newest variants.
  • The Nuclear variant was released with a big flaw — developers of this variant made a major mistake on the encryption of files greater than 10MB and will not be able to decrypt them.
  • We have seen a resurgence with three new variants being created since August — Wyvern, Nuclear and Gryphon.

How BTCWare is being delivered

Attackers are distributing these new BTCWare variants by brute forcing Remote Desktop (RDP) connections to servers and computers with weak or default passwords.

RDP is a protocol developed by Microsoft as a remote management tool. It is commonly exposed in internal networks for use in administration and support, but when it's exposed to the wider Internet it can be a beacon for attackers. Port scanning tools like Nmap make it incredibly easy for attackers to hone in on devices with vulnerable RDP connections, and launching attacks this way also allows them to bypass a variety of security solutions.

For those reasons, over the past year we've seen RDP brute force attacks become one of the leading infection vectors for ransomware.

What a BTCWare infection looks like

When the Gryphon variant was first spotted in August its new ransom note had a filename of HELP.txt and specific instruction to contact either or for payment information. This variant also uses a different public RSA encryption key that encrypts the victim's AES encryption key and has a unique file extension for encrypted files (.[].crypton).

Gryphon ransom-note.jpg

Ransom screen for Gryphon variant of BTCWare ransomware. / Bleeping Computer

Later in the month Nuclear was released with one big flaw. According to Michael Gillespie, the developers of this variant made a major mistake on the encryption of files greater than 10MB in files size and will not be able to decrypt them. In addition to the flaw, Nuclear hit the ransomware scene with a new ransom note with the filename HELP.hta. This time the instructions were to contact for payment information. Just as with Gryphon, the criminals once again changed the the public RSA encryption key and created a unique file extension for the encrypted files (.[affiliate_email].nuclear).

Nuclear encrypted-folder.png

Encrypted files from Nuclear variant of BTCWare ransomware. / Bleeping Computer

When Wyvern made its debut in late September it was deja vu from Nuclear -- same encryption technique and same ransom note (HELP.hta). This time the hackers only changed the contact email ( and the file extension (.[email]-id-id.wyvern).

Wyvern encrypted-files.png

Encrypted files from Wyvern variant of BTCWare ransomware. / Bleeping Computer

Barkly vs. BTCWare

While the majority of security solutions will react to new BTCWare variants by scrambling to update their protection as they're being discovered (and only after the initial wave of infections are successful), Barkly will block them automatically, without any updates necessary.

That's because Barkly blocks malware based on behavior analysis as well as attribute analysis. So even though new variants like Gryphon, Nuclear, and Wyvern may look different from previous BTCWare variants, because they attempt to perform the same malicious actions our protection still picks them up and shuts them down. Learn more about how Barkly can protect your company from BTCWare and other ransomware families here.

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.


The Ransomware Survival Handbook

Learn how to recover quickly and effectively (and not get hit again)

Get my handbook


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.