BitCrypt is a new malicious program that encrypts files and asks victims for bitcoin payments. It is being spread by a computer Trojan after trying to steal from victims bitcoin wallets.
Ransomware is a portion of an expanding category of malicious programs. BitCrypt falls into this category because it locks victims files or even computer thus trying to extort money from them.
One of the first versions of BitCrypt showed up in February and its development was possibly inspired by the luck of a similar program called Cryptolocker that infected more than two hundred fifty thousand computers in the last three months of 2013 alone.
Like Cryptolocker, once installed on a system, BitCrypt encrypts a wide range of files, from pictures and documents to applications, archives and database files. Victims might lose access not just to private files, but also work projects, if they do not have any external backups.
Whilst the initial variant of BitCrypt claimed to be using reasonably strong RSA-1024 encryption, security researchers from Airbus Defence and Space found deficiencies in the implementation that authorized them to create a program to decrypt affected files.
Even so, according to Trend Micro Antivirus vendor’s security researchers, an upgraded version of the malware emerged this month and is possibly designed for large range distribution. The new version attaches a .bitcrypt2 extension to encrypted files and can display its ransom note in 10 different languages: German, Spanish, French, Russian, English, Arabic, Japanese, Italian, Chinese and Portuguese.
When a computer is infected by this variant it replaces the desktop wallpaper to a picture that have a note “BitCrypt v2.0 has infected your device” and directs the victim to read a file named Bitcrypt.txt for further details.
This text file contains information on how to get to a particular website hidden on the Tor anonymity network in order to acquire a special decryption program that is specific for every infection. The website asks victims for their unique infection ID and a payment of 0.4 bitcoins (around US$230 at present exchange rates) in order to acquire the decryption app.
The researchers from Trend Micro also discovered that the new BitCrypt version is being distributed by FAREIT a Trojan program which steals bitcoins amongst other data.
FAREIT finds and tries to obtain information from wallet.dat (Bitcoin), .wallet (MultiBit) and electrum.dat (Electrum) files. Different Bitcoin client applications create and use these files.
To steer clear from becoming a ransomware victim as well as being forced to pay to retrieve access to significant files, it is highly recommended to back up your most valuable data regularly. Better not on the same computer or some shared network drive, as the malware could infect those backup too.