Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Dec 2022

How to remove Bttu ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Ugnius Kiguolis · The mastermind

Bttu ransomware locks all pictures, videos, documents, and other files on the system for money extortion purposes

Bttu ransomware

Bttu ransomware is a type of malicious software that is designed to encrypt files on your computer and demand a ransom in exchange for their release. It is one of the most destructive forms of cyberattacks, as it can render entire batches of personal files useless if victims are unable to meet the attacker's demands. Suchlike files are marked with .bttu extension and are also stripped from their original icons, which are replaced by blanks instead.

The decryption key that can unlock files is only known to the attackers behind the Bttu virus, and, of course, they are not willing to provide it for free. According to the ransom note _readme.txt, users are meant to contact crooks by writing to support@fishmail.top or datarestorehelp@airmail.cc emails and including their personal ID.

Victims can only retrieve the unique decryption tool if they are willing to pay $980 (or $490 if paid early) in bitcoin – the funds must be transferred to the cybercriminals' wallet. We recommend avoiding any contact with the perpetrators and instead using alternative methods for data recovery we discuss below.

Name Bttu virus
Type Ransomware, file-locking malware
File extension .bttu appended to all personal files
Family Djvu
Ransom note _readme.txt
Ransom size $480/$980
Contact support@fishmail.top or datarestorehelp@airmail.cc
File Recovery There is no guaranteed way to recover locked files without backups. Other options include paying cybercriminals (not recommended, might also lose the paid money), using Emisoft's decryptor (works for a limited number of victims), or using third-party recovery software
Malware removal After disconnecting the computer from the network and the internet, do a complete system scan using the SpyHunterCombo Cleaner security program
System fix As soon as it is installed, malware has the potential to severely harm some system files, causing instability problems, including crashes and errors. Any such damage can be automatically repaired by using FortectIntego PC repair

Djvu is one of the most prominent malware families out there – and that's where Bttu ransomware stems from. Despite efforts to combat it, it remains a significant threat to individuals and organizations, with over a thousand variations identified. It is believed that hundreds of people are affected by it on a daily basis.

Since the release of malware back in 2017, we have seen close to a thousand versions released so far, with variants like Maos, Mppn, Kcvp, showing up weekly. Cybercriminals always use four random letters to name them – one of the more distinctive traits of the virus. Otherwise, version from version does not differ much, as its main goal remains the same – to lock all data and hold it hostage until victims pay the ransom.

The ransom note and how to proceed

A ransom note is among the most important components of any ransomware operation, as without it, users would not be able to find out cybercriminals' contact details, reducing their chances for a successful money transfer to zero. Therefore, it is not unusual for a ransom note to pop up right in front of users' faces as soon as all the files are locked with a secure RSA encryption algorithm.[1]

Bttu ransomware uses a simple text-based format to deliver the message to users, which reads:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-67n37yZLXk
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
support@fishmail.top

Reserve e-mail address to contact us:
datarestorehelp@airmail.cc

Your personal ID:

As is usual for this and many other viruses of this type, the offer to send out a file for test decryption to prove it's possible is there. However, trusting cybercriminals is rather risky, and there is a chance of losing paid money along with the encrypted data. Therefore, we recommend taking an alternative route and removing malware from the system, and then using alternative solutions for data recovery.

Bttu virus

How to deal with a ransomware attack

If you've never been infected with ransomware before, it can be a very confusing and frustrating experience. It's important to take the right steps when dealing with ransomware, though, as your chances of restoring your data may depend on it. Your first task is to remove the malware, back up any encrypted files, and only then attempt recovery.

Remove your computer from the network and scan the PC with anti-malware

To start, you should take some time to remove any ransomware-affected machine's internet or network connection. This will sever the communication between the ransomware and the remote C&C server[2] controlled by criminals.

  • Type in Control Panel in Windows search and press Enter
  • Go to Network and Internet
  • Click Network and Sharing CenterNetwork and internet 2
  • On the left, pick Change adapter settingsNetwork and internet 3
  • Right-click on your connection (for example, Ethernet), and select DisableNetwork and internet 4
  • Confirm with Yes.

By disconnecting your system from the internet, you can scan and clear it of infection using SpyHunterCombo Cleaner, MalwarebytesMalwarebytes, or another reliable security software. Although ransomware typically self-destructs after job completion, there is always a chance it will linger. Ransomware commonly comes hand-in-hand with other computer infections (mostly data-stealing[3] Trojans), which raises the stakes in terms of privacy and computer security damage.

Repair your system files

There are thousands of files on any Windows operating system, some of which belong to the OS itself, third-party apps, or those that are personal files, such as pictures or videos. Ransomware targets the latter and mainly leaves system files intact, although this is not always the case.

Ransomware can sometimes have bugs, or its developer might intentionally include modules that would interact with the registry or other components. For example, Djvu variants such as Bttu are programmed to alter the host file on the system, preventing users from accessing certain security-related websites online. This can be everted by deleting the file, which Windows would recreate later. It can be found in the following location:

C:\Windows\System32\drivers\etc\

To repair potential damage to other sectors of the operating system, we recommend running a PC repair tool.

  • Download FortectIntego
  • Click on the ReimageRepair.exe
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation processReimage installation
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

Recovery of personal (Bttu) files

The last step is to retrieve the locked files without paying cybercriminals. Many people don't understand how data encryption works or know anything about it. Some believe that they can restore their data as soon as they scan their computer with an anti-virus program, while others think that once their files are encrypted, they're gone for good – neither of these scenarios is accurate in this case.

When attempting to recover data affected by ransomware, you should first make backups of all your personal files. Otherwise, they might be permanently damaged, and even a working decryptor will no longer be useful. once done, we recommend trying Emsisoft's decryption tool first:

  • Download the app from the official Emsisoft website.
  • After pressing Download button, a small pop-up at the bottom, titled decrypt_STOPDjvu.exe should show up – click it.
  • If User Account Control (UAC) message shows up, press Yes.
  • Agree to License Terms by pressing Yes.

  • After Disclaimer shows up, press OK.
  • The tool should automatically populate the affected folders, although you can also do it by pressing Add folder at the bottom.
  • Press Decrypt.

From here, there are three available outcomes:

  1. Decrypted!” will be shown under files that were decrypted successfully – they are now usable again.
  2. Error: Unable to decrypt file with ID:” means that the keys for this version of the virus have not yet been retrieved, so you should try later.
  3. This ID appears to be an online ID, decryption is impossible” – you are unable to decrypt files with this tool.

If this method was unsuccessful, you can find more options below.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.