New release from BTCWare developers: Shadow ransomware virus

BTCWare ransomware was updated

The well-known ransomware family that actively threatens computer users since April 2017 has been updated again. Developers of the BTCWare^[1] presented a new version of malware – Shadow ransomware virus.

Security researcher Michael Gillespie^[2] spotted the virus spreading via remote desktop services (RDS).^[3] When the virus finds poorly protected RDS, criminals install ransomware manually. As soon as malware executable is activated on the system, data encryption procedure begins.

Currently, the virus is not decryptable. Therefore, it’s better to take precautions and backup your data to avoid the loss of important information and personal files.

Shadow BTCWare does not bring any major changes

Recently discovered Shadow virus does not include any significant features or improvements. It continues encrypting data using the same cryptography. However, it uses a new file extension to lock targeted files: .[email]-id-id.shadow.

The file-encrypting virus continues corrupting the most popular file types, such as documents, pictures, multimedia, databases and similar data. Following data encryption, malware delivers the same ransom note that asks to send an email to cyber criminals:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paydayz@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Criminals also offer to decrypt three files for free in order to prove victims that Shadow decryptor actually exists. However, it does not bring any guarantees that after the payment you will receive a decryption software and the key.

After cyber attack, ransomware removal is needed

Ransomware attack is a shocking experience, especially if you do not have data backups. However, once the ransom note pops up on the screen, it’s important to remain calm and does not take any immediate actions. Paying the ransom does not always end up the way you plan. Crooks often forget to send a decryptor as soon as they receive a demanded sum of Bitcoins.

Even though data loss seems like the end of the world, you should evaluate if taking the risk is worth it. Some of the earlier variants of BTCWare are decryptable.^[4] Therefore, there’s a chance that recent versions will be decrypted soon as well. Thus, you should be patience.

Therefore, if you have suffered from Shadow ransomware attack, you should focus on virus removal instead of data recovery. Ransomware removal requires system scan with antivirus or malware removal software to clean the system from malicious components.

Quick reminder on how to avoid malware

Taking precautions is better than dealing with problems caused by ransomware virus. Even though Shadow ransomware spreads via remote desktop services, users are advised strengthen not only RDS connections but also follow other security tips,^[5] such as:

• avoiding opening unknown email attachments;
• checking information about the sender and issue provided in the email before opening attached archives or documents;
• installing software and OS updates as soon as they emerge;
• keeping away from untrusted or illegal freeware or shareware download sources;
• installing professional security software;
• creating and updating backups.