Malware empties Bitcoin wallets, denies access to files until ransom is paid

Tools

Users of the cryptocurrency Bitcoin are being targeted by a new form of malware that simultaneously empties digital wallets and encrypts personal files in their system, preventing access. BitCrypt, a member in the burgeoning group of "ransomware," stops access to blocked files until an online Bitcoin payoff is proffered.

While BitCrypt was first discovered in February, the newest variant appeared in March and has been coupled with the FAREIT Trojan, which steals data from Bitcoin wallets, according to a blog post by Trend Micro researchers.

Once a user's system has been infected, most types of files are at risk. According to an article in CSO, the malware "encrypts a large range of files, from documents and pictures to archives, application development and database files. Victims stand to lose access not just to personal files, but also work projects, if they have no external backups."

Once the system has been infiltrated, the desktop wallpaper is changed to display a message that reads, "Your computer was infected by BitCrypt v2.0 cryptovirus," and points to a .txt file that provides additional instructions. The file includes a ransom note that directs users to a deep web site where they can make a payment in the form of Bitcoins. The website even supplies a FAQ (in broken English) that gives directions on how to purchase Bitcoins to pay the ransom and an estimated time for the arrival of the "decryptor" once you pay.

According to the Trend Micro blog, the website demands a payment of .4 Bitcoins, worth about $183 at the time of writing. It is not yet clear how many users the malware has affected, but the number of languages the ransom note appears in (10, including English, French, German, Russian, Italian, Spanish, Portuguese, Japanese, Chinese and Arabic) implies that the Trojan has been designed for wide distribution.

The CSO article recommends that users "back up data regularly; preferably not on the same computer or a shared network drive, because the malware could affect those backups as well."

For more:
- read the Trend Micro research blog
- read the CSO article

Related Articles:
New worm infects thousands of IoT devices, mines cryptocurrency, warns Symantec
Rogue programmer develops stronger ransomware
CryptoLocker copycat spreads through removable drives