New Gryphon, Wyvern variants of BTCWare are taking flight and encrypting victim files — the good news is Barkly blocks them.
We’ve been seeing multiple new strains of BTCWare including Wyvern, Nuclear and Gryphon. The BTCWare family of ransomware first inflicted damage back in March when it was going by the name CrptXXX. Whatever the name, this family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop Protocol (RDP). Once they gain access to a computer, cyber criminals install the ransomware and encrypt the victim’s files.
Credited with around 10 infections per day, BTCWare boasts similar stats as Locky. These latest variants leverage the same tried and true encryption method as previous BTCWare variants, but unfortunately for victims, at this time there is no way to decrypt files for free. Fortunately, Barkly is able to block BTCWare automatically, before it can do any damage (see it in action vs. BTCWare in the video below, and learn how Barkly's protection works here).
First appeared in March 2017 under the name CrptXXX.
A master decryption key for the BTCWare ransomware was released in May 2017. However, this does not work on the newest variants.
The Nuclear variant was released with a big flaw — developers of this variant made a major mistake on the encryption of files greater than 10MB and will not be able to decrypt them.
We have seen a resurgence with three new variants being created since August — Wyvern, Nuclear and Gryphon.
How BTCWare is being delivered
Attackers are distributing these new BTCWare variants by brute forcing Remote Desktop (RDP) connections to servers and computers with weak or default passwords.
RDP is a protocol developed by Microsoft as a remote management tool. It is commonly exposed in internal networks for use in administration and support, but when it's exposed to the wider Internet it can be a beacon for attackers. Port scanning tools like Nmap make it incredibly easy for attackers to hone in on devices with vulnerable RDP connections, and launching attacks this way also allows them to bypass a variety of security solutions.
When the Gryphon variant was first spotted in August its new ransom note had a filename of HELP.txt and specific instruction to contact either email@example.com or firstname.lastname@example.org for payment information. This variant also uses a different public RSA encryption key that encrypts the victim's AES encryption key and has a unique file extension for encrypted files (.[email@example.com].crypton).
Later in the month Nuclear was released with one big flaw. According to Michael Gillespie, the developers of this variant made a major mistake on the encryption of files greater than 10MB in files size and will not be able to decrypt them. In addition to the flaw, Nuclear hit the ransomware scene with a new ransom note with the filename HELP.hta. This time the instructions were to contact firstname.lastname@example.org for payment information. Just as with Gryphon, the criminals once again changed the the public RSA encryption key and created a unique file extension for the encrypted files (.[affiliate_email].nuclear).
When Wyvern made its debut in late September it was deja vu from Nuclear -- same encryption technique and same ransom note (HELP.hta). This time the hackers only changed the contact email (email@example.com) and the file extension (.[email]-id-id.wyvern).
While the majority of security solutions will react to new BTCWare variants by scrambling to update their protection as they're being discovered (and only after the initial wave of infections are successful), Barkly will block them automatically, without any updates necessary.