A new variant of the BTCWare ransomware was discovered by Michael Gillespie, that appends the .[email]-id-id.shadow extension to encrypted files. The BTCWare family of ransomware infections targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware.

Below is a brief summary of changes in this new Shadow btcware ransomware variant.

What’s New in the Shadow Ransomware BTCWare Variant

Not much has changed with this new variant other than the email addresses a victim should contact the developer with and the extension appended to encrypted files. In this version, the contact email address is now [email protected], which is listed in the ransom note below.  

Shadow Ransomware (BTCWare) Ransom Note

The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .[email]-id-[id].shadow extension to encrypted file’s name.  For example, the file test.jpg was encrypted and renamed to test.jpg.[[email protected]]-id-C0C.shadow.

You can see an example of an encrypted folder below.

Folder of Encrypted Shadow Files
Folder of Encrypted Shadow Files

If any new information or methods to decrypt the files becomes available, we will be sure to update this article.

How to protect yourself from the Shadow BTCWare Ransomware

In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an…

Continue ….