BTCamant Ransomware

BTCamant Ransomware Overview
The BTCaramnt ransomware is a malware that is under investigation by the security community. The name of the virus comes from the "Mission Impossible" movie. According to the available information the BTCamant ransomware is based on the Radamant ransomware which was uncovered in December 2015.

Upon infection it follows the usual behavior by encrypting target user files and demanding a ransom fee of 0.5 Bitcoins. In addition we assume that the virus also deletes the Shadow Volume Copies of the infected host as well. The .BTC extension is used to rename the affected files.

BTCamant Ransomware Affected File Types
"1cd, dbf, dt, cf, cfu, mxl, epf, kdbx, erf, vrp, grs, geo, st, pff, mft, efd, 3dm, 3ds, rib, ma, sldasm, sldprt,""max, blend, Iwo, lws, mad, mb, obj, x, x3d, movie.byu, c4d, fbx, dgn, dwg, 4db, 4d1, 4mp, abs, accdb, accdc, accd e, accdr, accdt,""accdw, accft, adn, aid, adp, aft, and, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, bak, backu p, cdb, ckp, clkw, cma, crd, daconnections,""dacpac, dad, dadiagrams, daf, daschema, db, db-shm, db-wal, db2, db 3, dbc, dbk, dbs, dbt, dbv, dbx, dcb, dct, dcx, ddl, df1, dmo, dnc, dpl,""dqy, dsk, dsn, dta, dtsx, dxl, eco, ec x, edb, emd, eql, fcd, fdb, fic, fid, fil, fm5, fmp, fmp12, fmpsl, fol, fp3, fp4, fps, fp7, fpt, fpt,""fzb, fzv, g db, gwi, hdb, his, ib, idc, ihx, itdb, itw, jtx, kdb, lgc, maq, mdb, mdbhtml, mdf, mdn, mdt, mrg, mud, mwb, s3m, myd, ndf, ns2,""ns3, ns4, nsf, nsf, nv2, nyf, oce, odb, oqy, ora, orx, owc, owg, oyx, p96, p97, pan, pdb, pdb, pd b, pdm, phm, pnz, pth, pwa, qpx, qry, qvd,""rctd, rdb, rpd, rsd, sbf, sdb, sdb, sdb, sdf, spq, sqb, stp, sql, sqli te, sqlite3, sqlitedb, str, tcx, tdt, te, teacher, tmd, trm, udb, usr,""v12, vdb, vpd, wdb, wmdb, xdb, xld, xlgc, zdb, zdc, cdr, cdr3, ppt, pptx, 1st, abw, act, aim, ans, apt, asc, ascii, ase, aty, awp, awt, aww,""bad, bbs, bd p, bdr, bean, bib, bna, boc, btd, bzabw, chart, chord, cnm, crd, crwl, cyi, dca, dgs, diz, dne, doc, doc, docm, d ocx, docxml,""docz, dot, dotm, dotx, dsv, dvi, dx, eio, eit, email, emlx, epp, err, err, etf, etx, euc, fadein, fa q, fb2, fbl, fcf, fdf, fdr, fds, fdt,""fdx, fdxt, fes, fft, flr, fodt, fountain, gtp, frt, fwdn, fxc, gdoc, gio, g io, gpn, gsd, gthr, gv, hbk, hht, hs, htc, hwp, hz, idx, iii,""ipf, jarvis, jis, joe, jp1, jrtf, kes, klg, klg, kn t, kon, kwd, latex, lbt, lis, lit, Int, 1p2, lrc, 1st, 1st, ltr, ltx, lue, luf, lwp,""lxfml, lyt, lyx, man, map, m box, md5txt, me, mell, min, mnt, msg, mwp, nfo, njx, notes, now, nwctxt, nzb, ocr, odm, odo, odt, ofl, oft,""openb sd, ort, ott, p7s, pages, pfs, pfx, pjt, plantuml, prt, psw, pu, pvj, pvm, pwi, pwr, qdl, rad, readme, rft, ris, rng, rpt, rst, rt,""rtd, rtf, rtx, run, rzk, rzn, saf, safetext, sam, scc, scm, scriv, scrivx, sct, scw, sdm, sdo c, sdw, sgm, sig, skcard, sla, slagz, sls,""smf, sms, ssa, strings, stw, sty, sub, sxg, sxw, tab, tdf, tdf, tex, t ext, thp, tlb, tm, tmd, tmv, tmx, tpc, trelby, tvj, txt, u3d, u3i,""unauth, unx, uof, uot, upd, utf8, unity, utx t, vct, vnt, vw, wbk, wbk, wcf, webdoc, wgz, wn, wp, wp4, wps, wp6, wp7, wpa, wpd, wpd, wpl,""wps, wps, wpt, wpw, wri, wsc, wsd, wsh, wtx, xbdoc, xbplate, xdl, xdl, xlf, xps, xwp, xwp, xwp, xy3, xyp, xyw, ybk, yml, zabw, zw, 2b p,""0,36, 3fr, 0,411, 73i, 8xi, 9png, abm, afx, agif, agp, aic, albm, apd, apm, apng, aps, apx, art, artwork, ar w, any, asw, avatar, bay,""blkrt, bm2, bmp, bmx, bmz, brk, brn, brt, bss, bti, c4, cal, cals, can, cd5, cdc, cdg, cimg, cin, cit, colz, cpc, cpd, cpg, cps, cpx,""cr2, ct, dc2, dcr, dds, dgt, dib, dicom, djv, djvu, dm3, dmi, vu e, dpx, wire, drz, dt2, dtw, dvl, ecw, eip, erf, exr, fal, fax, fil,""fpos, fpx, g3, gcdp, gfb, gfie, ggr, gif, gi h, gim, gmbck, gmspr, spr, scad, gpd, gro, grob, hdp, hdr, hpi, i3d, icn, icon, icpr, iiq,""info, int, ipx, itc2, iwi, j, j2c, j2k, jas, jb2, jbig, jbig2, jbmp, jbr, jfif, jia, jng, jp2, jpe, jpeg, jpg, jpg2, jps, jpx, jtf, jw 1""jxr, kdc, kdi, kdk, kic, kpg, lbm, ljp, mac, mbm, mef, mnr, mos, mpf, mpo, mrxs, myl, ncr, nct, nlm, nrw, oc 3, oc4, oc5, oci, omf,""oplc, aft, af3, ai, art, asy, cdmm, cdmt, cdmtz, cdmz, cdt, cgm, cmx, cnv, csy, cv5, cvg, cvi, cvs, cvx, cwt, cxf, dcs, ded, design, dhs,""dpp, drw, drw, dxb, dxf, egc, emf, ep, eps, epsf, fh10, fh11, fh 3, fh4, fh5, fhb, fh7, fhb, fif, fig, fmv, ft10, ft11, ft7, ft8, ft9, ftn,""fxg, gdraw, gem, glox, gsd, hpg, hpg 1, hpl, idea, igt, igx, imd, ink, lmk, mgcb, mgmf, mgmt, mt9, mgmx, mgtx, mmat, mat, otg, ovp, ovr,""pcs, pfd, pf v, pl, plt, pm, vrml, pmg, pobj, ps, psid, rdl, scv, sk1, sk2, slddrt, snagitstamps, snagstyles, ssk, stn, svf, s vg, svgz,""sxd, tic, tne, ufr, vbr, vec, vml, vsd, vsdm, vsdx, vstm, stm, vstx, wmf, wpg, vsm, vault, xar, xmind, xmmap, yal, orf, ota, oti, ozb, ozj,""ort, pal, pano, pap, pbm, pct, pct, pc3, pcd, pcx, pdd, pdn, pe4, pe4, pef, pfi, pgf, pgm, pil, pi2, pi3, pic, pict, pix, pjpeg, pjpg, pm,""pmg, png, pni, pnm, pntg, pop, pp4, pp5, ppm, pr w, psd, psdx, pse, psp, pspbrush, ptg, ptx, ptx, pvr, px, pxr, pz3, pza, pzp, pzs, z3d,""qmg, ras, rcu, rgb, rgb, rgf, ric, riff, rix, rle, rli, rpf, rri, rs, rsb, rsr, rw2, rwl, s2mv, sai, sci, sct, sep, sfc, sfera, sfw, skm,""sld, sob, spa, spe, sph, spj, spp, sr2, srw, ste, sumo, sva, save, ssfn, t2b, tb0, tbn, tex, tfc, tg4, thm, thum b, tif, tiff, tjp, tm2, tn,""tpi, ufo, uga, usertile-ms, vda, vff, vpe, vst, wb1, wbc, wbd, wbm, wbmp, wbz, wdp, w ebp, wpb, wpe, wvl, x3f, y, ysp, zif, cdr4, cdr6,""rtf, cdmw, jpeg, djvu, pdf, ddoc, css, pptm, raw, cpt, gif, jpe g, jpg, jpe, jp2, pcx, pdn, png, psd, tga, tiff, tif, hdp, xpm, ai, cdr,""ps, svg, sai, wmf, emf, ani, apng, djv, flc, fb2, fb3, fli, mng, smil, svg, mobi, svf, html, xls, xlsx, csv, xlsm, ods, xhtm"

== BTCamant Ransomware Note == "Hello!""For getting back Your PC data You need to contact with us through email as soon as possible: sepas@protonmai1.com, sepast@protonmai1.com"

BTCamant Ransomware Distribution
We assume that the ransomware uses the most popular distribution tactics such as spam email messages, infected software installers and etc.

BTCamant Ransomware Removal
In-depth removal instructions and detailed technical information about the virus can be found on Best Security Search.