Bit Cryptor, also referred to as BitCryptor, is the most recently released variant of ransomware which targets Windows computers on a large scale. It encrypts the user’s files with AES-256, a government-level standard leveraged to secure classified data and widely used in legitimate privacy protection software. Once information on a PC has been encrypted, the virus comes up with a screen saying that the only way to restore those objects is to pay a ransom of 1 Bitcoin. This is a fairly commonplace workflow with the malware cluster in question which IT experts have been observing throughout the past few years, but despite significant research and effort no actionable countermeasures have been thought up thus far.
Judging by some code-level peculiarities and even the main console design, Bit Cryptor is a successor of the ill-famed CoinVault malware. One of the well-known security labs had developed a free tool that assisted file decryption in CoinVault contamination scenario, but the applet does not work for the new variant. BitCryptor appears to be more sophisticated as it terminates the Windows processes that are normally used in the repair framework, such as cmd, msconfig, regedit and taskmgr. It also erases the shadow volume copies of encrypted files in order to disable this recovery vector. All in all, the challenge is definitely nontrivial.
The ransomware uses a mix of exploit-based techniques and spear phishing to infect computers. In most cases, therefore, the users realize they have been attacked only after the program has caused virtually irreversible damage, hence they have to deal with the aftermath. Once the trespass has taken place, Bit Cryptor scans the hard drive for specific types of files. The extensions it looks for match the most popular files and documents, so it’s obviously personal data that is targeted. Interestingly enough, though, the virus does not process objects located in system directories: Windows, Program Files, Temp, All Users, Downloads, etc. This might indicate a selective approach intended to cut down the resources, which hasn’t been observed in other known ransomware samples.
The underlying executable that can be seen on Task Manager is bclock.exe. This process gets added to the startup entries list. As long as it’s running, the desktop wallpaper gets automatically changed to an image reading “Your files have been encrypted”, with a signature that says “Bit Cryptor”. The ransomware’s console pops up with details of the attack and instructions regarding file recovery. There is a countdown clock with a notice underneath that the ransom will increase by 1 Bitcoin after the time expires. There are also buttons to view all encrypted files and decrypt one file for free. Every infected user is assigned a unique Bitcoin address, which is displayed on the malware’s GUI as well. Essentially, the criminals want the victim to buy the decryption keys that can then be entered in the respective fields to commence decryption.
Even though the adverse power of Bit Cryptor is problematic to overcome, there are methods that are worth trying in order to reinstate the encrypted files. Before you proceed with system remediation and file recovery, be advised the virus might block some AV executables. If that’s the case, it’s recommended to follow the instructions below in Safe Mode.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that Bit Cryptor applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that Bit Cryptor erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by Bit Cryptor is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the Bit Cryptor virus left, have your computer scanned with a reliable malware security suite.