A new variant of a malicious program called BitCrypt that encrypts files and asks victims for bitcoin payments is being distributed by a computer Trojan that first pilfers bitcoin wallets.
BitCrypt is part of a growing category of malicious programs known collectively as ransomware that attempt to extort money from victims by locking their files or computers.
One of the first variants of BitCrypt appeared in February, and its development was likely inspired the success of a similar program called Cryptolocker that infected more than 250,000 computers in the last three months of 2013 alone.
Like Cryptolocker, once installed on a system, BitCrypt encrypts a large range of files, from documents and pictures to archives, application development and database files. Victims stand to lose access not just to personal files but also work projects, if they have no external backups.
While the first variant of BitCrypt claimed to be using relatively strong RSA-1024 encryption, security researchers from Airbus Defence and Space found flaws in the implementation that allowed them to create a program to decrypt affected files.
However, according to security researchers from antivirus vendor Trend Micro, an improved version of the malware appeared this month and is likely designed for wide distribution. The new version appends a .bitcrypt2 extension to encrypted files and can display its ransom note in 10 different languages: English, French, German, Russian, Italian, Spanish, Portuguese, Japanese, Chinese and Arabic.
When this variant infects a computer it changes the desktop wallpaper to a picture that reads “Your computer was infected by BitCrypt v2.0 cryptovirus” and points the victim to a file called Bitcrypt.txt for additional instructions, the Trend Micro researchers said Monday in a blog post.
The text file contains information on how to access a specific website hidden on the Tor anonymity network in order to obtain a special decryption program that’s unique for every infection. The website asks users for their unique infection ID and a payment of 0.4 bitcoins—around $230 at current exchange rates—in order to obtain the decryption tool.
In a somewhat ironic twist, the Trend Micro researchers also found that the new BitCrypt variant is being distributed by a Trojan program called FAREIT that steals bitcoins, among other data.
FAREIT searches and attempts to extract information from wallet.dat (Bitcoin), electrum.dat (Electrum) and .wallet (MultiBit) files, the researchers said. These files are created and used by different Bitcoin client applications.
To avoid becoming a ransomware victim and being forced to pay to regain access to important files, it’s essential to back up data regularly; preferably not on the same computer or a shared network drive, because the malware could affect those backups as well.