When BitCryptor is first started it will delete all shadow volume copies on the computer so that you are unable to restore your files from them. It will then set the Windows wallpaper to %Temp%\wallpaper.jpg and begin encrypting your files. When BitCryptor encrypts your files it will do so using certain rules. These are:
- BitCryptor will not encrypt any files found in the program files,appdata,programdata,boot,windows,winnt,recycle.bin,downloads,all users, or temp folders.
- It will encrypt all files regardless of the extension if the folder contains the pictures or backup strings.
- Otherwise it will encrypt any files that match the following extensions: .odt,.ods,.odp,.odm,.odc,.odb,.doc,.docx,.docm,.wps,.xls,.xlsx,.xlsm,.xlsb,.xlk,.ppt,.pptx,.pptm,.mdb,.accdb,.pst,.dwg,.dxf,.dxg,.wpd,.rtf,.wb2,.mdf,.dbf,.psd,.pdd,.pdf,.eps,.ai,.indd,.cdr,.dng,.3fr,.arw,.srf,.sr2,.mp3,.bay,.crw,.cr2,.dcr,.kdc,.erf,.mef,.mrw,.nef,.nrw,.orf,.raf,.raw,.rwl,.rw2,.r3d,.ptx,.pef,.srw,.x3f,.der,.cer,.crt,.pem,.pfx,.p12,.p7b,.p7c,.jpg,.png,.jfif,.jpeg,.gif,.bmp,.exif,.txt,.tc,.mov,.mp4,.rar,.zip,.iso,.vsdx,.3ds, and .c4d
shadow,cmd,processhacker,mbam,sh4,spyhunter,msconfig,taskmgr,roguekiller,rstrui,regedit,procexpAs always we suggest you practice good computer safety to protect your computer from being infected with this ransomware. This means only open attachments that you are expecting and make sure you keep all your programs and Windows updated.
We also suggest a behavior detection program such as CryptoMonitor and HitmanPro: Alert. CryptoMonitor was able to prevent this infection without any updates and I am sure HitmanPro: Alert will be able to do soon, if not already.
If any new information is released on this ransomware, we will be sure to post about it here.
Known BitCryptor Files:
%Temp%\BitCryptorFileList.txt %Temp%\wallpaper.jpg %UserProfile%\filelist.locklst %UserProfile%\sfileKnown BitCryptor Ransomware Registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BitC "%UserProfile%\bclock.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*BitC "%UserProfile%\bclock.exe" HKCU\Control Panel\Desktop\Wallpaper "%Temp%\wallpaper.jpg"
Back to top
