Btos file extension
.Btos file extension is an extension that uses the newest variant of STOP (djvu) ransomware to mark files that have been encrypted. Ransomware is malware created by criminals that restricts access to the victim’s files by encrypting them and demands a ransom for a pair of key-decryptor, necessary for decrypting files. Files encrypted with .btos extension become useless, their contents cannot be read without the key that the criminals have. Fortunately, there is a free decryptor, which in some cases can decrypt .btos files. It will be described in detail in this article.
Screenshot of files encrypted by Btos virus (‘.btos’ file extension)
Btos virus
Btos virus is the latest version of STOP ransomware, which was discovered by security researchers some days ago. This is already the is the 202th variant (v0202) of STOP ransomware. Like other variants, it encrypts all files on the computer and then demands a ransom for decryption. This virus encrypts files using a strong encryption method, which eliminates the possibility of finding a key in any way. For each victim, Btos uses a unique key with a small exception. If the virus cannot establish a connection with its command and control server (C&C) before starting the encryption process, then it uses an offline key. This key is the same for different victims, which makes it possible in some cases to decrypt files that were encrypted during the ransomware attack.
Btos has the ability to encrypt files of any type, regardless of what is in them. But it skips files with the extension: .ini, .dll, .lnk, .bat, .sys and files named ‘_readme.txt’. Thus, the following common file types can be easily encrypted:
.flv, .srf, .snx, .d3dbsp, .blob, .yal, .qdf, .rb, .nrw, .vtf, .xlsx, .wdp, .wb2, .kdc, .x, .menu, .p12, .psk, .wp5, .arch00, .tax, .xlgc, .esm, .wot, .xxx, .rofl, .hkdb, .gdb, .webdoc, .z, .lrf, .mlx, .sum, .sr2, .1, .xx, .hplg, .kf, .sidn, .cfr, .rgss3a, .bsa, .wbz, .xbplate, .pdf, .bc6, .wsd, .zabw, .xls, .csv, .sb, .1st, .hvpl, .svg, .accdb, .wma, .wdb, .wn, .z3d, .arw, .css, .pef, .sis, .psd, .bc7, .itdb, .wbd, .iwd, .erf, .wbk, .bar, .ztmp, .yml, .zi, .cr2, .der, .map, .epk, .itl, .forge, .bay, wallet, .ybk, .vcf, .xdl, .sav, .syncdb, .xll, .m2, .pkpass, .wotreplay, .rw2, .pdd, .dng, .crt, .pst, .doc, .xf, .desc, .sid, .docm, .xmind, .dba, .mdb, .ncf, .xls, .crw, .rtf, .wmd, .avi, .wma, .xlsb, .2bp, .wri, .odp, .raf, .0, .zif, .wmf, .wp4, .mdbackup, .wsh, .jpeg, .ai, .xdb, .slm, .xbdoc, .ntl, .odm, .3fr, .xpm, .ws, .wpg, .layout, .pak, .mov, .db0, .xlsx, .vpk, .dbf, .xld, .ff, .das, .wmv, .litemod, .xlk, .wpd, .ltx, .x3f, .itm, .wpe, .sidd, .fos, .xlsm, .jpg, .vpp_pc, .xyp, .mpqge, .rar, .t13, .mp4, .ysp, .apk, .pptm, .odb, .w3x, .sie, .xwp, .iwi, .tor, .zdc, .wmo, .wp6, .eps, .rim, .wpb, .wp7, .wav, .pfx, .wbm, .t12, .zip, .js, .3dm, .bik, .cdr, .wpw, .upk, .hkx, .xlsm, .rwl, .wp, .dcr, .p7c, .x3f, .zip, .cas, .docx, .wmv, .wpa, .m4a, .fsh
Each file that has been encrypted will be renamed. This means the following. If the file was called ‘document.docx’, then after encryption, it will be named ‘document.docx.btos’. Btos virus can encrypt files located on all drives connected to the computer. Therefore, files located in network attached storage and external devices can also be encrypted. It encrypts file by file, when all the files in the directory are encrypted, it drops a new file in the directory, which is called ‘_readme.txt’. Below is the contents of this file.
Screenshot of the contents of ‘_readme.txt’ file (Btos ransom note)
All directories with encrypted files have this file. But the contents of this file are the same everywhere. This file contains a message from Btos creators. In this message, the criminals report that all the files were encrypted and the only way to decrypt them is to buy a decryptor and key. Attackers demand a ransom of $490, if the victim does not pay the ransom within 72 hours, then the ransom will double to $980. Btos authors left two email addresses that the victim must use to contact them. To confirm the possibility of decryption, criminals offer to decrypt one file that does not contain important information for free. But it’s obvious that there is no guarantee that even by paying the ransom, the victim will be able to decrypt all files that have been encrypted.
Threat Summary
| Name | Btos |
| Type | Crypto malware, File locker, Filecoder, Ransomware, Crypto virus |
| Encrypted files extension | .btos |
| Ransom note | _readme.txt |
| Contact | helpmanager@firemail.cc, helpmanager@iran.ir |
| Ransom amount | $980, $490 in Bitcoins |
| Detection Names | Trojan-Ransom.Win32.Stop.im, Trojan.Stop.Win32.67, Trojan.Win32.Generic!BT, Win32.Trojan.Stop.Dxwz, Win32/Trojan.IM.77f, Trj/GdSda.A, Ransom:Win32/STOP.BS!MTB, Trojan-Ransom.Win32.Stop.im, Trojan.Win32.Crypt, W32/Kryptik.HANB!tr, Trojan.TR/AD.InstaBot.gcd, Generic.mg.1b29ba23050c2560 |
| Symptoms | Documents, photos and music won’t open. Your personal files now have odd extensions that end with something like .locked, .crypted or .cryptor. Files named such as ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. Ransom note displayed on your desktop. |
| Distribution ways | Phishing email scam that attempts to scare users into acting impulsively. Torrents websites. Drive-by downloading (when a user unknowingly visits an infected web page and then malicious software is installed without the user’s knowledge). Cracked games. Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a suspicious link). Adware. Remote desktop protocol (RDP) hacking. |
| Removal | Btos virus removal guide |
| Decryption | Free Btos Decryptor |
Btos authors claim that it is impossible to decrypt files that have been encrypted. Until recently, this was so. At the moment, with the advent of STOP (Btos) decryptor, in some cases you can decrypt files. This means that files can be decrypted if they are encrypted with the offline key that we talked about earlier. In all remaining cases, decryption is not yet possible. But there are several alternative ways that can allow everyone to recover the contents of encrypted files.
How to remove Btos ransomware virus & Decrypt .btos files
If your files were encrypted with Btos virus, we recommend using the following action plan, which will allow you to remove the ransomware and decrypt (restore) the encrypted files. Read this entire manual, then open it on your smartphone or print it. So it will be more convenient for you to carry out all the necessary actions.
- How to remove Btos ransomware virus
- How to decrypt .btos files
- How to restore .btos files
- How to protect your PC from Btos ransomware virus
How to remove Btos ransomware virus
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The best way is to go step by step: scan your computer for ransomware, detect and remove Btos virus, decrypt (recover) the encrypted files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove Btos. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the ransomware was found and completely removed.
How to remove Btos virus with Zemana Anti Malware (ZAM)
Zemana Anti-Malware is a malware scanner that is very useful for detecting and deleting Btos crypto malware. The steps below will explain how to download, install, and use Zemana Free to scan your personal computer and remove crypto malware, spyware, adware software, worms, malware, trojans for free.
- Download Zemana Anti Malware (ZAM) on your Windows Desktop by clicking on the following link.
Zemana AntiMalware
164978 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once you have downloaded the setup file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana Anti Malware install on your computer.
- Select install language and click ‘OK’ button.
- On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
- Finally, once the install is finished, Zemana Anti-Malware (ZAM) will open automatically. Else, if does not then double-click on the Zemana AntiMalware icon on your desktop.
- Now that you have successfully install Zemana Free, let’s see How to use Zemana to remove Btos ransomware virus from your computer.
- After you have started the Zemana Free, you’ll see a window as displayed below, just press ‘Scan’ button for scanning your PC for the ransomware.
- Now pay attention to the screen while Zemana AntiMalware scans your computer.
- Once Zemana Free has completed scanning, Zemana Anti Malware will show a scan report. Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press ‘Next’ button.
- Zemana Anti-Malware (ZAM) may require a reboot PC system in order to complete the Btos ransomware virus removal process.
- If you want to permanently delete ransomware from your personal computer, then click ‘Quarantine’ icon, select all malicious software, adware, PUPs and other items and press Delete.
- Restart your machine to complete the ransomware virus removal process.
Use MalwareBytes to remove Btos ransomware
Get rid of Btos crypto malware manually is difficult and often the crypto virus is not completely removed. Therefore, we suggest you to run the MalwareBytes Anti-Malware (MBAM) that are fully clean your computer. Moreover, this free program will allow you to remove malware, potentially unwanted software, toolbars and adware that your machine can be infected too.
First, visit the following page, then click the ‘Download’ button in order to download the latest version of MalwareBytes.
327221 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is complete, close all apps and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as displayed in the following example.
When the install starts, you’ll see the “Setup wizard” which will help you set up Malwarebytes on your PC system.
Once installation is complete, you will see window like below.
Now press the “Scan Now” button . MalwareBytes tool will begin scanning the whole computer to find out Btos crypto virus and other security threats. When a malicious software, adware software or potentially unwanted apps are found, the number of the security threats will change accordingly.
Once MalwareBytes AntiMalware has completed scanning your computer, you can check all threats detected on your PC system. In order to delete all threats, simply click “Quarantine Selected” button.
The Malwarebytes will now begin to delete Btos ransomware virus, other malware, worms and trojans. Once disinfection is finished, you may be prompted to restart your computer.
The following video explains few simple steps on how to uninstall hijacker, adware and other malware with MalwareBytes AntiMalware (MBAM).
Remove Btos virus with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is a free removal utility that may be downloaded and run to uninstall ransomware, adware, spyware, trojans, worms and other security threats from the system. You can run this tool to detect malicious software even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) from the following link.
129278 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you will see the Kaspersky virus removal tool screen as displayed below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan with this utility for the Btos crypto virus and other malware. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour. During the scan KVRT will look for threats exist on your computer.
After Kaspersky virus removal tool has completed scanning, Kaspersky virus removal tool will display a list of all items found by the scan as displayed below.
Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press on Continue to start a cleaning procedure.
How to decrypt .btos files
All files with the ‘.btos’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. To decrypt .btos files, you need a decryptor. Fortunately, Emsisoft has created a free decryptor called STOP Djvu decryptor.
STOP Djvu decryptor
To decrypt .btos files, use free STOP (Btos) decryptor
- Download STOP (Djvu) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
STOP (Btos) decryptor is a free tool that allows everyone to decrypt .btos files for free. At the moment, the decryptor can only decrypt files that have been encrypted with an offline key. Unfortunately, if the files were encrypted with an online key, then the free decryptor is completely useless.
How to find out which key was used to encrypt files
Since STOP (Btos) decryptor only decrypts files encrypted with the offline key, each Btos’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Personal ID is highlighted here
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0195’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Btos virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
What to do if STOP (Btos) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .btos files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .btos files
As we already said, STOP (Btos) decryptor can only decrypt files encrypted using the so called ‘offline key’. What to do when files were encrypted with an online key? Even in this case, everyone has a chance to recover the contents of encrypted files. This is possible due to the existence of several alternative ways to restore files. Each of these methods does not require a decryptor and a unique key, which is in the hands of criminals. The only thing we strongly recommend that you perform (if you have not already done so) is to perform a full scan of the computer. You must be 100% sure that Btos virus has been removed. To find and remove ransomware, use the free malware removal tools.
Use ShadowExplorer to recover .btos files
The Windows OS (10, 8, 7 , Vista) has one very useful feature, it makes copies of all files that have been modified or deleted. This is done so that the user can recover, if necessary, the previous version of accidentally deleted or damaged files. These copies of the files are called ‘Shadow copies’. One tool that can help you recover files from the Shadow copies is ShadowExplorer. It is very small tool and easy to use. Unfortunately, ransomware often delete Shadow copies, thus blocking this method of recovering encrypted files. Nevertheless, be sure to try this method.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your MS Windows Desktop by clicking on the link below.
439619 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the Btos crypto virus as displayed in the following example.
Now navigate to the file or folder that you want to restore. When ready right-click on it and click ‘Export’ button as shown in the figure below.
Use PhotoRec to restore .btos files
Another alternative way to recover encrypted files is to use data recovery tools. We recommend using a program called PhotoRec. This tool is free and does not require installation. Below we will show in detail how to use it to restore encrypted files.
Download PhotoRec on your personal computer by clicking on the link below.
After the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as displayed below.
Choose a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as on the image below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, press Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, press on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as shown below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from Btos ransomware virus?
Most antivirus applications already have built-in protection system against the crypto virus. Therefore, if your PC system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro Alert can be downloaded from the following link. Save it to your Desktop.
When the downloading process is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is opened, you will be displayed a window where you can select a level of protection, like below.
Now press the Install button to activate the protection.
Finish words
This guide was created to help all victims of Btos ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .btos files; how to recover files, if STOP (Btos) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Btos related issues, go to here.
Hi, I have follow to install 1) anti-malware software & 2) restore btos file. However still can’t seem to open those files, softwares etc. Did I miss out a step ?
wendi, you need to use anti-malware software to make sure that there is no active ransomware on the computer. If a malware removal tool did not find ransomware, then you can proceed to decrypt the files or try to recover them. First of all, try to decrypt .btos files, for this, use the free decryptor, which is described above. Only if this decryptor could not help you, then use data recovery tools (ShadowExplorer and PhotoRec). These tools do not decrypt encrypted files; they look for previous versions of encrypted files and try to recover them.