How To Remove BTTU ransomware [Virus Removal Guide]

BTTU ransomware infects programs solely to encrypt all recordsdata saved in them

BTTU ransomware is a malicious laptop virus that belongs to the STOP/DJVU ransomware household. It has already contaminated many computer systems worldwide. This malware is recognizable from the .bttu extension that it appends to encrypted recordsdata. For instance, recordsdata initially named 1.jpg or 2.txt will seem as 1.jpg.bttu and a couple of.docx.bttu after the malware impacts them. There might be no method to open these recordsdata. Victims will even discover out that the ransomware has dropped _readme.txt recordsdata in each laptop folder – these recordsdata are broadly generally known as “ransom notes.”

What really occurs throughout a ransomware assault is that the malware encrypts all recordsdata, creates ransom-demanding notes, deletes Quantity Shadow Copies, it might additionally disable a set of varied lively processes in order that it may encrypt related recordsdata efficiently. The purpose of the malicious software program is to make information that’s vital for the pc person inaccessible, after which demand ransom. The crooks promise to supply BTTU file decryption software as quickly because the sufferer pays the ransom. That is nothing else however pure extortion.

Threatening message left in _readme.txt observe

The message supplied within the _readme.txt ransom observe explains that varied information sorts had been encrypted, and to be able to regain entry to them, the sufferer has to pay a ransom for the discharge of decryption software and personal key. The observe specifies that those that contact the criminals inside 72 hours ranging from the an infection timestamp might be eligible for a 50% low cost and might be requested to pay $490, and people who don’t squeeze within the given timeframe might be requested to pay the total quantity ($980).

The ransom observe additionally specifies that if the sufferer desires to check the decryption service, one can ship one encrypted file to the attackers by way of e-mail and likewise embrace the Private ID supplied within the _readme.txt file.

As well as, the criminals will later specify that they solely settle for funds made in cryptocurrency, as this provides them anonymity. Of their e-mail reply, they are going to specify how the sufferer should purchase cryptocurrency (similar to Bitcoin) equal the quantity in {dollars} and tips on how to switch it to the attackers.

Needless to say it’s best to keep on with the suggestions of cybersecurity specialists and regulation enforcement businesses similar to FBI and refuse to pay a ransom. The latter has launched official suggestions for ransomware victims that recommend paying the ransom doesn’t assure information restoration, apart from, it fuels the ransomware cycle, which signifies that the more cash the criminals acquire, the larger assaults they will arrange sooner or later.

BTTU ransomware drops money-demanding note called _readme.txt

Sadly, not each element in regards to the ransomware assault is defined within the ransom observe. The attackers conceal the truth that the malware didn’t arrive alone, however dragged some information-stealing Trojans (VIDAR, AZORULT, RedLine) alongside it. These Stealers can seize delicate information together with passwords, cookies, looking historical past, offline cryptocurrency wallets and different information that may be later used to blackmail the pc person.

Subsequently, every laptop person who has sadly fallen sufferer to the described malware assault ought to rush to take away BTTU ransomware virus proper now. The supplied information on the finish of this text explains how this process might be accomplished securely. When you’re fascinated with our software program suggestions, we advise utilizing INTEGO Antivirus for malware elimination and laptop safety, and likewise you possibly can obtain RESTORO (safe obtain hyperlink) to establish and restore some broken  windows OS recordsdata.

Ransomware Abstract

Title BTTU Ransomware Virus
Sort Ransomware; Crypto-malware; Digital Extortion Virus
Household STOP/DJVU
Encryption kind RSA 2048 + Salsa20
Earlier variations MATU, MAOS, BTNW, ZATP, UYIT, MBTF, MPPN (discover full record right here)
Model 619th
Extension .bttu
Cybercriminal emails [email protected] and [email protected]
Extra malware dropped Azorult or Vidar Trojan
Harm The ransomware makes use of encryption to maliciously modify all recordsdata on the PC and marks their unique names with .bttu extension. Ransom notes referred to as as _readme.txt might be dropped in each laptop folder. This piece of malware normally drags VIDAR Stealer alongside it and likewise eliminates VSS from the system. On prime of that, it tends to change  windows HOSTS file to limit laptop person’s entry to cybersecurity-related web sites on-line.
Ransom observe _readme.txt
Ransom demand $490-$980 in Bitcoin
Distribution Victims usually obtain this ransomware alongside unlawful torrent downloads, cracked software program, activators, key mills or instruments like KMSPico.
Identified software program cracks to include this malware Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Web Obtain Supervisor, Tally, League of Legends.
Detection names Trojan:Win32/Azorult.FW!MTB (Microsoft), Gen:Heur.Mint.Zard.52 (B) (Emsisoft), HEUR:Trojan.Win32.Scarsi.gen (Kaspersky), Gen:Heur.Mint.Zard.52 (BitDefender), Trojan.MalPack.GS (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection identify variations on VirusTotal
Elimination Take away ransomware and associated malware out of your PC utilizing reliable software program like INTEGO Antivirus. To restore virus harm on  windows OS recordsdata, obtain and check out RESTORO (safe obtain hyperlink).
Intego Antivirus for Windows

Intego Antivirus for windows

Award-winning antivirus resolution on your PC.

Strong safety software program that gives sturdy 24/7 real-time safety, Net Defend that stops on-line threats/malicious downloads, and Prevention engine that wards off Zero-Day threats. Preserve your PC protected and guarded in opposition to ransomware, Trojans, viruses, adware and different types of harmful applications.

BTTU virus encrypts data on infected computer

The way to keep away from ransomware assaults?

Ransomware, like different styles of malware, is often distributed by unlawful on-line downloads, phishing emails containing attachments, pretend software program replace advertisements, or drive-by-downloads. We’ll undergo every of those and shortly clarify how one can forestall some of these assaults.

  • Unlawful on-line downloads. Cybercriminals behind STOP/DJVU variants like BTTU ransomware virus primarily use rogue web sites to unfold malicious code in disguise of cracked software program installers. Within the actuality, the downloaded file is just an executable in a password-protected archive that acts like a malware loader. Customers ought to solely select reputable sources to obtain software program from to be able to entry real and safe variations.
  • Phishing emails. Pc customers must be very cautious about issues they click on or recordsdata they open, particularly if these are despatched by an unsolicited occasion by way of e-mail. Cybercriminals usually faux to be somebody they’re not, so they could attempt to act like they’re writing on behalf of a sure firm, on-line store or parcel supply enterprise. Such phishing emails are usually complimented with malicious attachments that include dangerous code. Our recommendation is to rigorously examine every e-mail and search for warning indicators similar to pressing tone, generic greeting line or suspicious sender’s e-mail tackle. When you’re satisfied to obtain the attachments, scan them with antivirus earlier than opening them.
  • Faux software program replace advertisements. Pc customers ought to be taught to establish pretend on-line advertisements aggressively promoting software program replace instruments or doubtlessly undesirable software program. These advertisements normally pop-up in new window or browser tab when looking low fame web sites, similar to torrent listings or film streaming web sites that present content material fairly illegally.
  • These advertisements normally declare that the person’s laptop is in danger resulting from lacking updates or viruses discovered on the system, and urges to obtain marketed recordsdata. At any time when such advert pops up, we suggest to shut it and as a substitute test for software program updates on reputable and official web site. When you do click on and obtain one thing from such advert or a pretend safety alerts, such occasion might be described as approved drive-by-download with out realisation of the implications.
  • Unauthorized Drive-by-downloads. Drive-by-download assaults are based mostly on unintentional obtain of malicious code, and normally occur with out person’s data or interplay. Such assaults normally goal software program, working system or app vulnerabilities to ship malware. You will need to allow computerized software program and working system updates to forestall cybercriminals from utilizing vulnerability exploits.

Most significantly, it is very important hold your laptop protected with a sturdy antivirus always.


Take away BTTU Ransomware Virus and Restore Your Information

The final recommendation for victims of the described malware is to take away BTTU ransomware virus and not using a delay. Working an computerized laptop virus elimination software program is advisable, however this process must be achieved after booting the pc into Protected Mode with Networking. Our group’s prime decide is INTEGO Antivirus, which we’ve extensively reviewed right here. Moreover, you possibly can attempt to obtain RESTORO for virus harm restore on  windows OS recordsdata.

Afterward, don’t forget to vary your passwords used on the compromised laptop as a result of potential info theft inflicted by Trojans that accompany this ransomware.


Our group recommends a two-step rescue plan to take away ransomware and different remaining malware out of your laptop, plus restore prompted virus harm to the system:


Get INTEGO ANTIVIRUS for  windows to take away ransomware, Trojans, adware and different adware and malware variants and shield your PC and community drives 24/7. This VB100-certified safety software program makes use of state-of-art expertise to supply safety in opposition to ransomware, Zero-Day assaults and superior threats, Intego Net Defend blocks harmful web sites, phishing assaults, malicious downloads and set up of doubtless undesirable applications.

Use INTEGO Antivirus to take away detected threats out of your laptop.

Learn full evaluation right here.


RESTORO gives a free scan that helps to establish {hardware}, safety and stability points and presents a complete report which might help you to find and repair detected points manually. It’s a nice PC restore software program to make use of after you take away malware with skilled antivirus. The complete model of software program will repair detected points and restore virus harm prompted to your  windows OS recordsdata robotically.

RESTORO makes use of AVIRA scanning engine to detect current adware and malware. If any are discovered, the software program will get rid of them.

Learn full evaluation right here. editors choose really useful merchandise based mostly on their effectiveness. We could earn a fee from affiliate hyperlinks, at no further value to you. Study extra.

BTTU Ransomware Virus Elimination Tips

Technique 1. Enter Protected Mode with Networking

Step 1. Begin  windows in Protected Mode with Networking

Earlier than you attempt to take away BTTU Ransomware Virus virus, you should begin your laptop in Protected Mode with Networking. Beneath, we offer the best methods in addition PC within the mentioned mode, however you’ll find further ones on this in-depth tutorial on our web site – The way to Begin  windows in Protected Mode. Additionally, in the event you desire a video model of the tutorial, test our information The way to Begin  windows in Protected Mode on Youtube.

Directions for windows XP/Vista/7 customers

  1. To start with, flip off your PC. Then press the Energy button to start out it once more and immediately begin urgent F8 button in your keyboard repeatedly in 1-second intervals. This launches the Superior Boot Choices menu.
  2. Use arrow keys on the keyboard to navigate all the way down to Protected Mode with Networking choice and press Enter.
    Remove ransomware using Safe Mode with Networking

Directions for windows 8/8.1/10/11 customers

  1. Open  windows Begin menu, then press down the Energy button. In your keyboard, press down and maintain the Shift key, after which choose Restart choice.Hold Shift and click Restart to enter Windows Troubleshooting menu
  2. It will take you to windows Troubleshoot display screen. Select Troubleshoot > Superior Choices > Startup Settings > Restart. Tip: If you cannot discover Startup Settings, click on See extra restoration choices.Tutorial on how to enable Safe Mode in Windows 10,8,8.1
  3. In Startup Settings, press the best key between F1-F9 to enter Protected Mode with Networking. On this case, it’s the F5 key.Choose Windows Safe Mode type by pressing the right function key
Step 2. Take away recordsdata related to the virus

Now, you possibly can seek for and take away BTTU Ransomware Virus recordsdata. It is rather arduous to establish recordsdata and registry keys that belong to the ransomware virus, In addition to, malware creators are likely to rename and alter them repeatedly. Subsequently, the best method to uninstall such kind of a pc virus is to make use of a dependable safety program similar to INTEGO Antivirus. For virus harm restore, think about using RESTORO.

Particular Provide

RESTORO is a singular PC Restore Device which comes with an in-built Avira scan engine to detect and take away adware/malware threats and makes use of a patented expertise to restore virus harm. The software program can restore broken, lacking or malfunctioning windows OS recordsdata, corrupted DLLs, and extra. The free model gives a scan that detects points. To repair them, license key for the total software program model should be bought.

Technique 2. Use System Restore

With a purpose to use System Restore, you should have a system restore level, created both manually or robotically.

Step 1. Boot windows in Protected Mode with Command Immediate

Directions for windows XP/Vista/7 customers

  1. Shut down your PC. Begin it once more by urgent the Energy button and immediately begin urgent F8 button in your keyboard repeatedly in 1-second intervals. You will notice Superior Boot Choices menu.
  2. Utilizing arrow keys on the keyboard, navigate all the way down to Protected Mode with Command Immediate choice and press Enter.
    Starting Windows in Safe Mode with Command Prompt

Directions for windows 8/8.1/10/11 customers

  1. Launch windows Begin menu, then click on the Energy button. In your keyboard, press down and maintain the Shift key, after which select Restart choice with the mouse cursor.Hold Shift and click Restart to enter Windows Troubleshooting menu
  2. It will take you to windows Troubleshoot display screen. Select Troubleshoot > Superior Choices > Startup Settings > Restart. Tip: If you cannot discover Startup Settings, click on See extra restoration choices.Tutorial on how to enable Safe Mode in Windows 10,8,7
  3. In Startup Settings, press the best key between F1-F9 to enter Protected Mode with Command Immediate. On this case, press F6 key.Choose Windows Safe Mode type by pressing the right function key
Step 2. Begin System Restore course of
  1. Wait till system hundreds and command immediate exhibits up.
  2. Sort cd restore and press Enter, then kind rstrui.exe and press Enter. Or you possibly can simply kind %systemrootpercentsystem32restorerstrui.exe in command immediate and hit Enter.
    Start system restore from command prompt using these commands
  3. This launches System Restore window. Click on Subsequent after which select a System Restore level created up to now. Select one which was created earlier than ransomware an infection.Choose system restore point created before ransomware infection
  4. Click on Sure to start the system restoration course of.

After restoring the system, we suggest scanning the system with antivirus or anti-malware software program. Typically, there will not be any malware stays, nevertheless it by no means hurts to double-check. As well as, we extremely suggest checking ransomware prevention pointers supplied by our specialists to be able to shield your PC in opposition to related viruses sooner or later.

Different software program suggestions

Malwarebytes Anti-Malware

Eradicating adware and malware is one step in the direction of cybersecurity. To guard your self in opposition to ever-evolving threats, we strongly suggest buying a Premium model of Malwarebytes Anti-Malware, which gives safety based mostly on synthetic intelligence and machine studying. Contains ransomware safety. See pricing choices and shield your self now.

get malwarebytes premium

System Mechanic Final Protection

When you’re in search of an all-in-one system upkeep suite that has 7 core parts offering highly effective real-time safety, on-demand malware elimination, system optimization, information restoration, password supervisor, on-line privateness safety and safe driver wiping expertise. Subsequently, resulting from its wide-range of capabilities, System Mechanic Final Protection deserves Geek’s Recommendation approval. Get it now for 50% off. You might also be fascinated with its full evaluation.

Disclaimer. This web site contains affiliate hyperlinks. We could earn a small fee by recommending sure merchandise, at no further value for you. We solely select high quality software program and providers to suggest.

Decrypt BTTU recordsdata

Repair and open giant BTTU recordsdata simply:

It’s reported that STOP/DJVU ransomware variations encrypt solely the start 150 KB of every file to make sure that the virus manages to have an effect on all recordsdata on the system. In some instances, the trojan horse may skip some recordsdata in any respect. That mentioned, we suggest testing this methodology on a number of large (>1GB) recordsdata first.

  1. Create a replica of encrypted file to a separate folder utilizing Copy > Paste instructions.
  2. Now, right-click the created copy and select Rename. Choose the BTTU extension and delete it. Press Enter to avoid wasting adjustments.
  3. Within the immediate asking whether or not you wish to make the adjustments as file may turn out to be unusable, click on OK.
  4. Attempt opening the file.

STOP/DJVU decryption software utilization information

STOP/DJVU ransomware variations are grouped into previous and new variants. BTTU Ransomware Virus is taken into account the brand new STOP/DJVU variant, identical to MATU, MAOS, BTNW, ZATP, UYIT, MBTF, MPPN (discover full record right here). This implies full information decryption is now attainable solely when you have been affected by offline encryption key. To decrypt your recordsdata, you’ll have to obtain Emsisoft Decryptor for STOP DJVU, a software created and maintained by a genius safety researcher Michael Gillespie.

Word! Please don’t spam the safety researcher with questions whether or not he can recuperate your recordsdata encrypted with on-line key – it isn’t attainable.

With a purpose to check the software and see if it may possibly decrypt BTTU recordsdata, comply with the given tutorial.

  1. Obtain the decryption software from Emsisoft.
  2. Click on the little arrow subsequent to your obtain and select Present in Folder.
    show emsisoft decryptor for stop djvu in folder
  3. Now, right-click the file and select Run as Administrator. If requested, enter administrator’s password.
    run stop djvu decryptor as administrator
  4. In UAC window, click on Sure.
  5. Click on Sure to conform to software program phrases in each home windows.
    agree to emsisoft stop djvu decryptor terms
  6. The software will robotically embrace C:// disk as a location to decrypt. The file restoration software will prepopulate the areas to scan, together with linked information storage drives or community drives. Click on Add folder in the event you want to add further areas.
    In Choices tab, you possibly can select to maintain encrypted file copies. We suggest leaving this selection chosen, particularly in the event you have no idea if the decryption software will work.
    add folders to decrypt
  7. Click on Decrypt to start out restoring BTTU recordsdata. You will notice the progress within the Outcomes tab. Right here, you possibly can see messages from the software, similar to whether or not the decryption process is profitable, or it’s essential anticipate an replace.
    You may also learn that on-line key was used to encrypt your recordsdata. In such case, the decryption software will not be just right for you, and the one method to recuperate your recordsdata is to make use of an information backup.
    decrypt files locked by offline encryption by stop/djvu ransomware variants

Meanings of decryptor’s messages

The BTTU decryption software may show a number of completely different messages after failed try to revive your recordsdata. You may obtain one of many following messages:

Error: Unable to decrypt file with ID: [example ID]

This message usually signifies that there isn’t any corresponding decryption key within the decryptor’s database.

No key for New Variant on-line ID: [example ID]
Discover: this ID seems to be an internet ID, decryption is inconceivable

This message informs that your recordsdata had been encrypted with on-line key, that means nobody else has the identical encryption/decryption key pair, subsequently information restoration with out paying the criminals is inconceivable.

Consequence: No key for brand new variant offline ID: [example ID]
This ID seems to be an offline ID. Decryption could also be attainable sooner or later.

When you had been knowledgeable that an offline key was used, however recordsdata couldn’t be restored, it signifies that the offline decryption key is not out there but. Nonetheless, receiving this message is extraordinarily excellent news, that means that it is perhaps attainable to revive your BTTU extension recordsdata sooner or later.

It could actually take just a few months till the decryption key will get discovered and uploaded to the decryptor. We suggest you to comply with updates relating to the decryptable DJVU variations right here. We strongly suggest backing up your encrypted information and ready.

Report Web crime to authorized departments

Victims of BTTU Ransomware Virus ought to report the Web crime incident to the official authorities fraud and rip-off web site based on their nation:

If you cannot discover an authority akin to your location on this record, we suggest utilizing any search engine to search for “[your country name] report cyber crime”. This could lead you to the best authority web site. We additionally suggest staying away from third-party crime report providers which are usually paid. It prices nothing to report Web crime to official authorities.

One other suggestion is to contact your nation’s or area’s federal police or communications authority.

Ceaselessly Requested Questions

✓ How can I open .BTTU recordsdata?

You’ll be able to solely open BTTU recordsdata when you have the decryption key, or in the event you had been affected by offline encryption kind.

✓ How do I do know if my recordsdata had been encrypted with offline or on-line encryption?

To determine whether or not you had been affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string within it ends in t1. You may as well attempt utilizing Emsisoft Decryptor for STOP/DJVU.

✓ My recordsdata include essential info (household recollections). Each software I used says it’s inconceivable to decrypt. What ought to I do?

Please comply with the guidances supplied by the official BTTU decryption instruments and imagine what they are saying. If they are saying it’s inconceivable to decrypt, it truly is so. There isn’t a magic software or human able to decrypting your recordsdata hiding someplace. Encryption is a method created to be practically inconceivable to decrypt and not using a particular personal key (held by the criminals).

✓ I’m afraid virus remains to be in my laptop system. What ought to I do?

We advise scanning with anti-virus, anti-malware, malware elimination instruments or software program like RESTORO to get rid of virus harm on the system. If you don’t belief utilizing a single software, attempt working one after one other. Nonetheless, we don’t suggest holding a number of safety applications on a pc without delay as they will intervene with one another’s work.

✓ I noticed a number of Youtube movies suggesting secret decryption instruments. Can I belief them?

Beware of faux BTTU decryption instruments circulating across the internet. Cyber criminals are importing them to numerous shady web sites, additionally is perhaps selling them by way of suspicious Youtube movies. These applications can infect your laptop much more closely (Trojans, miners, and so on.). We advise being extraordinarily cautious across the internet. If there might be an official STOP/DJVU decryption software out there, will probably be broadly mentioned in public media.