News

October 12, 2017

A new variant of what appears to be BTCWare ransomware is currently targeting victims and appending the .[email]-id-id.payday extension to encrypted files. This family of ransomware targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware.

Below is a brief summary of changes in this new payday btcware ransomware variant.

What's New in the Payday Ransomware BTCWare Variant

According to Michael Gillespie, the creator of ID-Ransomware, this payday variant uses a new key generation when encrypting files, which cannot be cracked. So unfortunately, there is no way to decrypt payday files for free.

We also have a new BleepingComputer forum account named payday_lock that claims to be the developer making posts in the forums.

forum post
Post by the Payday Ransomware Dev

Other changes include new ransom notes named payday.hta and !! RETURN FILES !!.txt. The main difference in these notes is the contact email, which are This email address is being protected from spambots. You need JavaScript enabled to view it. & This email address is being protected from spambots. You need JavaScript enabled to view it.. You can see an example of one of the variant's ransom note below.

ransom notePayday Ransomware (BTCWare) Ransom Note

The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .[email]-id-id.payday extension to encrypted file's name. For example, the current version will encrypt a file called test.jpg and rename it to test.jpg.[This email address is being protected from spambots. You need JavaScript enabled to view it.]-id-CE4.payday.

You can see an example of an encrypted folder below.

encrypted filesFolder of Encrypted Payday Files

If any new information or methods to decrypt the files becomes available, we will be sure to update this article.

IOCs

File Hashes:

Screenshot001

Filenames associated with the Payday Ransomware Variant:

Screenshot002

Payday BTCWare Ransomware Ransom Note Text:

Screenshot003

Emails Associated with the Payday Ransomware:

Screenshot

News Courtesy : https://www.bleepingcomputer.com/news/security/new-payday-btcware-ransomware-variant-released/