Take away BTOS Ransomware Virus (DECRYPT .btos FILES)

BTOS ransomware reemerges in 2022 to assault pc customers once more

BTOS ransomware is file-encrypting virus designed to contaminate Home windows-running computer systems. This ransomware encrypts recordsdata utilizing military-grade encryption and marks them with .btos file extensions. First emerged in 2020, it seemed to be the 202nd model of STOP/DJVU virus, though in December 2022, cybercriminals launched 618th variant utilizing the identical extension. After encrypting all information, the virus creates a ransom be aware named as _readme.txt, which instructions the sufferer to contact cybercriminals through offered e mail addresses. The virus seeks to extort the sufferer and obtain a ransom price $490 or $980 in Bitcoin.

BTOS virus makes use of a robust file encryption algorithm to make information inaccessible to the sufferer. The purpose of encryption is to safe information in order that solely the actual particular person may see it. The malware additionally renames the recordsdata as defined within the following instance: 1.jpg turns into 1.jpg.btos, 2.docx turns into 2.docx.btos and so forth.

To decrypt such encrypted file, a non-public decryption key’s required, which is held by the cybercriminals. Sadly, it’s inaccessible to the victims or cybersecurity researchers. Making an attempt to crack it could take years, so it’s out of the query. 

The described STOP/DJVU variant enters the system alongside unlawful on-line downloads and begins encrypting private recordsdata immediately. It should be famous that the ransomware encrypts the primary 150KB of recordsdata, including 334 bytes to the unique file measurement as a result of utilization of RSA-encrypted key, sufferer’s ID and filemarker. In the course of the information corruption process, the virus leaves _readme.txt notes in every folder containing the recordsdata. Lastly, the malware deletes system restore factors which are sometimes the sufferer’s final resort on the subject of information restoration.

What’s even worse, BTOS virus tends to put in password-stealing Trojans corresponding to Azorult or VIDAR on the system. Due to this fact, you probably have been attacked by this DJVU variant, contemplate your whole passwords stolen. You will need to get rid of the malware out of your system and alter your passwords then.

One of the simplest ways to take away BTOS ransomware virus is in Secure Mode with Networking, so please soar to directions offered beneath the article to perform this process. We suggest utilizing INTEGO Antivirus for help with malware removing. Talking of repairing broken Home windows OS recordsdata, obtain RESTORO for the duty.

Ransomware Abstract

Title BTOS Ransomware Virus
Kind Ransomware; Crypto-malware; Digital Extortion Virus
Household STOP/DJVU
Encryption kind RSA 2048 + Salsa20
Earlier variations MATU, MAOS, BTNW, ZATP, UYIT, MBTF, MPPN (discover full record right here)
Model 202nd and 618th
Extension .btos
Cybercriminal emails [email protected] and [email protected] (2020 variant) or h[email protected] and [email protected] (2022 variant)
Further malware dropped Azorult or Vidar Trojan
Injury The ransomware makes use of encryption to maliciously modify all recordsdata on the PC and marks their authentic names with .btos extension. Ransom notes known as as _readme.txt might be dropped in each pc folder. This piece of malware normally drags VIDAR Stealer alongside it and likewise eliminates VSS from the system. On prime of that, it tends to switch Home windows HOSTS file to limit pc person’s entry to cybersecurity-related web sites on-line.
Ransom be aware _readme.txt
Ransom demand $490-$980 in Bitcoin
Distribution Victims usually obtain this ransomware alongside unlawful torrent downloads, cracked software program, activators, key mills or instruments like KMSPico.
Recognized software program cracks to include this malware Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Web Obtain Supervisor, Tally, League of Legends.
Detection names Trojan:Win32/Azorult.FW!MTB (Microsoft), Gen:Heur.Mint.Zard.52 (B) (Emsisoft), HEUR:Trojan.Win32.Scarsi.gen (Kaspersky), Gen:Heur.Mint.Zard.52 (BitDefender), Trojan.MalPack.GS (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection identify variations on VirusTotal
Elimination Take away ransomware and associated malware out of your PC utilizing reliable software program like INTEGO Antivirus. To restore virus injury on Home windows OS recordsdata, obtain and take a look at RESTORO (safe obtain hyperlink).
Intego Antivirus for Windows

Intego Antivirus for Home windows

Award-winning antivirus answer on your PC.

Sturdy safety software program that gives sturdy 24/7 real-time safety, Internet Defend that stops on-line threats/malicious downloads, and Prevention engine that wards off Zero-Day threats. Preserve your PC secure and guarded towards ransomware, Trojans, viruses, spyware and adware and different types of harmful applications.

Ransom calls for acknowledged within the be aware

BTOS file virus creates _readme.txt be aware to tell the sufferer in regards to the cyberattack and state the additional steps the sufferer should take if he/she desires to revive the info at some point. In keeping with the ransom be aware, all paperwork, databases and different recordsdata have been encrypted, and the one methodology to recuperate them is to pay the ransom.

The attackers recommend proving their skills to recuperate information – the sufferer can ship one small file for decryption. The additional directions on fee will be acquired by contacting the attackers through offered emails: [email protected] or [email protected] (2020 model of this file extension malware) or [email protected] and [email protected] (2022 variant).

contents of ransom note (_readme.txt) dropped by 2022 BTOS ransomware virus version

Knowledge restoration is feasible if encrypted with an offline key

In the course of the information encryption, the described virus first makes an attempt to determine a reference to its Command & Management server. Such a step is required to acquire particular person ONLINE encryption keys for every sufferer. Nonetheless, if the connection fails, the virus then makes use of a hardcoded OFFLINE encryption key to deprave information.

The offline key’s an identical for all variations of BTOS extension virus. As soon as somebody encrypted with offline key pays a ransom, the important thing then can be utilized by all victims of offline encryption. Due to this fact, we recommend you to maintain checking for updates on this STOP/DJVU decryption information.

files encrypted by btos ransomware virus
Recordsdata encrypted by this DJVU virus model may have .btos extensions appended to their filenames.

You’ll be able to test whether or not you’re topic to the offline encryption this fashion: 

  1. Go to C:/SystemID/PersonalID.txt.
  2. Right here, test the ending symbols of the ID or IDs saved right here. If any of them ends in t1, it’s an indicator of an offline encryption. All different circumstances imply on-line encryption.

DJVU distribution depends on unlawful downloads

On the whole, STOP/DJVU variants are primarily distributed by means of unlawful on-line downloads that cybercriminals current as software program cracks, films and different copyright-protected content material. Laptop customers keen to keep away from BTOS ransomware assault ought to keep away from the next:

  • Software program cracks;
  • Software program license keygens;
  • Unlawful peer-to-peer downloads;
  • Suspicious adware;
  • Different shady recordsdata.

The STOP ransomware household variants corresponding to MAOS, MPPN, MATU, or others are well-known to be included in malicious downloads corresponding to KMSPico, so ensure you resist the temptation to put in paid software program totally free. The danger of dropping your whole information could be very excessive. 

One other generally used ransomware distribution methodology is malicious e mail spam containing attachments. The criminals search to persuade the goal to launch e mail attachments that include some dangerous code. This code is then used to obtain the malware from an exterior supply and run it on the system.

Due to this fact, pc customers ought to keep vigilant and examine each e mail for crimson flags that inform the sender’s intentions are malevolent, corresponding to: pressing message tone, grammar errors, generic greeting line, corresponding to Pricey buyer/Valued shopper, spoofed sender’s e mail tackle, low-quality logos and pictures.

Take away BTOS ransomware virus successfully

You will need to take away BTOS ransomware virus together with password-stealing Trojans it has put in in your pc. Profitable elimination of the ransomware and its stays is crucial when reacting to any such cyberattack.

Following a BTOS virus removing, you must substitute your whole passwords. For the reason that password-stealing Trojans are inclined to steal them from browser’s reminiscence, attempt altering these passwords first. In relation to .btos information restoration, test on your information backups, as that is the one method of restoring information corrupted by this virus variant now.


Our staff recommends a two-step rescue plan to take away ransomware and different remaining malware out of your pc, plus restore induced virus injury to the system:


Get INTEGO ANTIVIRUS for Home windows to take away ransomware, Trojans, adware and different spyware and adware and malware variants and defend your PC and community drives 24/7. This VB100-certified safety software program makes use of state-of-art know-how to offer safety towards ransomware, Zero-Day assaults and superior threats, Intego Internet Defend blocks harmful web sites, phishing assaults, malicious downloads and set up of doubtless undesirable applications.

Use INTEGO Antivirus to take away detected threats out of your pc.

Learn full assessment right here.


RESTORO supplies a free scan that helps to determine {hardware}, safety and stability points and presents a complete report which may help you to find and repair detected points manually. It’s a nice PC restore software program to make use of after you take away malware with skilled antivirus. The total model of software program will repair detected points and restore virus injury induced to your Home windows OS recordsdata robotically.

RESTORO makes use of AVIRA scanning engine to detect current spyware and adware and malware. If any are discovered, the software program will get rid of them.

Learn full assessment right here.

GeeksAdvice.com editors choose really helpful merchandise primarily based on their effectiveness. We might earn a fee from affiliate hyperlinks, at no extra price to you. Be taught extra.

BTOS Ransomware Virus Elimination Pointers

Methodology 1. Enter Secure Mode with Networking

Step 1. Begin Home windows in Secure Mode with Networking

Earlier than you attempt to take away BTOS Ransomware Virus virus, you could begin your pc in Secure Mode with Networking. Beneath, we offer the best methods as well PC within the stated mode, however you will discover extra ones on this in-depth tutorial on our web site – Learn how to Begin Home windows in Secure Mode. Additionally, in case you choose a video model of the tutorial, test our information Learn how to Begin Home windows in Secure Mode on Youtube.

Directions for Home windows XP/Vista/7 customers

  1. Initially, flip off your PC. Then press the Energy button to begin it once more and immediately begin urgent F8 button in your keyboard repeatedly in 1-second intervals. This launches the Superior Boot Choices menu.
  2. Use arrow keys on the keyboard to navigate right down to Secure Mode with Networking possibility and press Enter.
    Remove ransomware using Safe Mode with Networking

Directions for Home windows 8/8.1/10/11 customers

  1. Open Home windows Begin menu, then press down the Energy button. In your keyboard, press down and maintain the Shift key, after which choose Restart possibility.Hold Shift and click Restart to enter Windows Troubleshooting menu
  2. This can take you to Home windows Troubleshoot display screen. Select Troubleshoot > Superior Choices > Startup Settings > Restart. Tip: If you cannot discover Startup Settings, click on See extra restoration choices.Tutorial on how to enable Safe Mode in Windows 10,8,8.1
  3. In Startup Settings, press the appropriate key between F1-F9 to enter Secure Mode with Networking. On this case, it’s the F5 key.Choose Windows Safe Mode type by pressing the right function key
Step 2. Take away recordsdata related to the virus

Now, you may seek for and take away BTOS Ransomware Virus recordsdata. It is extremely onerous to determine recordsdata and registry keys that belong to the ransomware virus, In addition to, malware creators are inclined to rename and alter them repeatedly. Due to this fact, the best method to uninstall such kind of a pc virus is to make use of a dependable safety program corresponding to INTEGO Antivirus. For virus injury restore, think about using RESTORO.

Particular Provide

RESTORO is a novel PC Restore Software which comes with an in-built Avira scan engine to detect and take away spyware and adware/malware threats and makes use of a patented know-how to restore virus injury. The software program can restore broken, lacking or malfunctioning Home windows OS recordsdata, corrupted DLLs, and extra. The free model affords a scan that detects points. To repair them, license key for the total software program model should be bought.

Methodology 2. Use System Restore

As a way to use System Restore, you could have a system restore level, created both manually or robotically.

Step 1. Boot Home windows in Secure Mode with Command Immediate

Directions for Home windows XP/Vista/7 customers

  1. Shut down your PC. Begin it once more by urgent the Energy button and immediately begin urgent F8 button in your keyboard repeatedly in 1-second intervals. You will note Superior Boot Choices menu.
  2. Utilizing arrow keys on the keyboard, navigate right down to Secure Mode with Command Immediate possibility and press Enter.
    Starting Windows in Safe Mode with Command Prompt

Directions for Home windows 8/8.1/10/11 customers

  1. Launch Home windows Begin menu, then click on the Energy button. In your keyboard, press down and maintain the Shift key, after which select Restart possibility with the mouse cursor.Hold Shift and click Restart to enter Windows Troubleshooting menu
  2. This can take you to Home windows Troubleshoot display screen. Select Troubleshoot > Superior Choices > Startup Settings > Restart. Tip: If you cannot discover Startup Settings, click on See extra restoration choices.Tutorial on how to enable Safe Mode in Windows 10,8,7
  3. In Startup Settings, press the appropriate key between F1-F9 to enter Secure Mode with Command Immediate. On this case, press F6 key.Choose Windows Safe Mode type by pressing the right function key
Step 2. Begin System Restore course of
  1. Wait till system masses and command immediate reveals up.
  2. Kind cd restore and press Enter, then kind rstrui.exe and press Enter. Or you may simply kind %systemrootpercentsystem32restorerstrui.exe in command immediate and hit Enter.
    Start system restore from command prompt using these commands
  3. This launches System Restore window. Click on Subsequent after which select a System Restore level created previously. Select one which was created earlier than ransomware an infection.Choose system restore point created before ransomware infection
  4. Click on Sure to start the system restoration course of.

After restoring the system, we suggest scanning the system with antivirus or anti-malware software program. Usually, there will not be any malware stays, but it surely by no means hurts to double-check. As well as, we extremely suggest checking ransomware prevention pointers offered by our consultants with the intention to defend your PC towards comparable viruses sooner or later.

Various software program suggestions

Malwarebytes Anti-Malware

Eradicating spyware and adware and malware is one step in the direction of cybersecurity. To guard your self towards ever-evolving threats, we strongly suggest buying a Premium model of Malwarebytes Anti-Malware, which supplies safety primarily based on synthetic intelligence and machine studying. Contains ransomware safety. See pricing choices and defend your self now.

get malwarebytes premium

System Mechanic Final Protection

For those who’re in search of an all-in-one system upkeep suite that has 7 core elements offering highly effective real-time safety, on-demand malware removing, system optimization, information restoration, password supervisor, on-line privateness safety and safe driver wiping know-how. Due to this fact, as a result of its wide-range of capabilities, System Mechanic Final Protection deserves Geek’s Recommendation approval. Get it now for 50% off. You might also be excited about its full assessment.

Disclaimer. This web site consists of affiliate hyperlinks. We might earn a small fee by recommending sure merchandise, at no extra price for you. We solely select high quality software program and companies to suggest.

Decrypt BTOS recordsdata

Repair and open massive BTOS recordsdata simply:

It’s reported that STOP/DJVU ransomware variations encrypt solely the start 150 KB of every file to make sure that the virus manages to have an effect on all recordsdata on the system. In some circumstances, the computer virus would possibly skip some recordsdata in any respect. That stated, we suggest testing this methodology on a number of large (>1GB) recordsdata first.

  1. Create a duplicate of encrypted file to a separate folder utilizing Copy > Paste instructions.
  2. Now, right-click the created copy and select Rename. Choose the BTOS extension and delete it. Press Enter to avoid wasting adjustments.
  3. Within the immediate asking whether or not you need to make the adjustments as file would possibly develop into unusable, click on OK.
  4. Strive opening the file.

STOP/DJVU decryption instrument utilization information

STOP/DJVU ransomware variations are grouped into outdated and new variants. BTOS Ransomware Virus is taken into account the brand new STOP/DJVU variant, similar to MATU, MAOS, BTNW, ZATP, UYIT, MBTF, MPPN (discover full record right here). This implies full information decryption is now attainable solely you probably have been affected by offline encryption key. To decrypt your recordsdata, you’ll have to obtain Emsisoft Decryptor for STOP DJVU, a instrument created and maintained by a genius safety researcher Michael Gillespie.

Observe! Please don’t spam the safety researcher with questions whether or not he can recuperate your recordsdata encrypted with on-line key – it isn’t attainable.

As a way to check the instrument and see if it will possibly decrypt BTOS recordsdata, observe the given tutorial.

  1. Obtain the decryption instrument from Emsisoft.
  2. Click on the little arrow subsequent to your obtain and select Present in Folder.
    show emsisoft decryptor for stop djvu in folder
  3. Now, right-click the file and select Run as Administrator. If requested, enter administrator’s password.
    run stop djvu decryptor as administrator
  4. In UAC window, click on Sure.
  5. Click on Sure to comply with software program phrases in each home windows.
    agree to emsisoft stop djvu decryptor terms
  6. The instrument will robotically embody C:// disk as a location to decrypt. The file restoration instrument will prepopulate the places to scan, together with linked information storage drives or community drives. Click on Add folder in case you want to add extra places.
    In Choices tab, you may select to maintain encrypted file copies. We suggest leaving this feature chosen, particularly in case you have no idea if the decryption instrument will work.
    add folders to decrypt
  7. Click on Decrypt to begin restoring BTOS recordsdata. You will note the progress within the Outcomes tab. Right here, you may see messages from the instrument, corresponding to whether or not the decryption process is profitable, or you could look forward to an replace.
    You may additionally learn that on-line key was used to encrypt your recordsdata. In such case, the decryption instrument will not give you the results you want, and the one method to recuperate your recordsdata is to make use of a knowledge backup.
    decrypt files locked by offline encryption by stop/djvu ransomware variants

Meanings of decryptor’s messages

The BTOS decryption instrument would possibly show a number of completely different messages after failed try to revive your recordsdata. You would possibly obtain one of many following messages:

Error: Unable to decrypt file with ID: [example ID]

This message sometimes signifies that there is no such thing as a corresponding decryption key within the decryptor’s database.

No key for New Variant on-line ID: [example ID]
Discover: this ID seems to be a web based ID, decryption is inconceivable

This message informs that your recordsdata had been encrypted with on-line key, that means nobody else has the identical encryption/decryption key pair, due to this fact information restoration with out paying the criminals is inconceivable.

Outcome: No key for brand new variant offline ID: [example ID]
This ID seems to be an offline ID. Decryption could also be attainable sooner or later.

For those who had been knowledgeable that an offline key was used, however recordsdata couldn’t be restored, it signifies that the offline decryption key is not accessible but. Nonetheless, receiving this message is extraordinarily excellent news, that means that it is perhaps attainable to revive your BTOS extension recordsdata sooner or later. It could possibly take just a few months till the decryption key will get discovered and uploaded to the decryptor. We suggest you to observe updates relating to the decryptable DJVU variations right here. We strongly suggest backing up your encrypted information and ready.

Report Web crime to authorized departments

Victims of BTOS Ransomware Virus ought to report the Web crime incident to the official authorities fraud and rip-off web site in response to their nation:

If you cannot discover an authority equivalent to your location on this record, we suggest utilizing any search engine to search for “[your country name] report cyber crime”. This could lead you to the appropriate authority web site. We additionally suggest staying away from third-party crime report companies which are usually paid. It prices nothing to report Web crime to official authorities.

One other suggestion is to contact your nation’s or area’s federal police or communications authority.

Often Requested Questions

✓ How can I open .BTOS recordsdata?

You’ll be able to solely open BTOS recordsdata you probably have the decryption key, or in case you had been affected by offline encryption kind.

✓ How do I do know if my recordsdata had been encrypted with offline or on-line encryption?

To determine whether or not you had been affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string within it ends in t1. It’s also possible to attempt utilizing Emsisoft Decryptor for STOP/DJVU.

✓ My recordsdata include crucial info (household recollections). Each instrument I used says it’s inconceivable to decrypt. What ought to I do?

Please observe the guidances offered by the official BTOS decryption instruments and consider what they are saying. If they are saying it’s inconceivable to decrypt, it truly is so. There is no such thing as a magic instrument or human able to decrypting your recordsdata hiding someplace. Encryption is a method created to be almost inconceivable to decrypt with no particular personal key (held by the criminals).

✓ I’m afraid virus continues to be in my pc system. What ought to I do?

We advise scanning with anti-virus, anti-malware, malware removing instruments or software program like RESTORO to get rid of virus injury on the system. If you don’t belief utilizing a single instrument, attempt operating one after one other. Nonetheless, we don’t suggest conserving a number of safety applications on a pc directly as they’ll intrude with one another’s work.

✓ I noticed a number of Youtube movies suggesting secret decryption instruments. Can I belief them?

Beware of faux BTOS decryption instruments circulating across the internet. Cyber criminals are importing them to varied shady web sites, additionally is perhaps selling them through suspicious Youtube movies. These applications can infect your pc much more closely (Trojans, miners, and many others.). We advise being extraordinarily cautious across the internet. If there might be an official STOP/DJVU decryption instrument accessible, will probably be extensively mentioned in public media.