{
	"id": "c0ecac3b-2322-4136-837c-dad1b6d37ff0",
	"created_at": "2026-04-06T00:14:14.565228Z",
	"updated_at": "2026-04-10T03:21:02.245323Z",
	"deleted_at": null,
	"sha1_hash": "256b49bc482d764faac5e95090a80c6bfb91f046",
	"title": "New Nuclear BTCWare Ransomware Released (Updated)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 675520,
	"plain_text": "New Nuclear BTCWare Ransomware Released (Updated)\r\nBy Lawrence Abrams\r\nPublished: 2017-08-28 · Archived: 2026-04-05 17:18:07 UTC\r\nA new variant of the BTCWare ransomware was discovered by ID-Ransomware's Michael Gillespie that appends the .\r\n[affiliate_email].nuclear extension to encrypted files. The BTCWare family of ransomware is distributed by the developers\r\nhacking into remote computers with weak passwords using Remote Desktop services. Once they are able to gain access to a\r\ncomputer, they will install the ransomware and encrypt the victim's files.\r\nUnfortunately, at this time there is no way to decrypt files encrypted by the Nuclear BTCware Ransomware variant for free.\r\nIf you wish to discuss this ransomware or receive any support, you can use our dedicated Btcware Ransomware Support\r\nTopic. In the past, the developers have released the decryption keys for variants that were no longer in distribution. It\r\nappears they decided to no longer offer this to their victims. We hope they change their mind.\r\nUpdate 8/30/17:\r\nMichael Gillespie discovered that the developers of this variant messed up on the encryption of files greater than 10MB in\r\nfile size and will not be able to decrypt them. It was also discovered that this same behavior was seen with other files of\r\nrandom sizes. Therefore, it is advised that you do not pay the ransom as there is a good chance many of your files not be\r\nable to be decrypted.\r\nhttps://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWhat's New in the Nuclear Ransomware BTCWare Variant\r\nWhile overall the encryption methods stay the same in this variant, there have been some differences. First and foremost, we\r\nhave a new ransom note with a file name of HELP.hta. This ransom note contains instructions to contact\r\nblack.world@tuta.io for payment information as shown below.\r\nNuclear Ransomware (BTCWare) Ransom Note\r\nThe next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the\r\nransomware, it will modify the filename and then append the .[affiliate_email].nuclear extension to encrypted file's name.\r\nFor example, the current version will encrypt a file called test.jpg and rename it to test.jpg.[black.world@tuta.io].nuclear.\r\nYou can see an example of an encrypted folder below.\r\nFolder of Encrypted nuclear Files\r\nThis variant also uses a different public RSA encryption key that is used to encrypt the victim's AES encryption key. This\r\npublic encryption key is:\r\nhttps://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/\r\nPage 3 of 5\n\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMwl0XpgillW5xCvuTbug+U+bVtZTaS0SRM+gNgaegG9PwsUXsxaqOLBg1zBxUxPcsJvUcQ/SKYWNsA49SIa\r\n-----END PUBLIC KEY-----\r\nIf any new information or methods to decrypt the files becomes available, we will be sure to update this article.\r\n \r\nIOCs\r\nFile Hashes:\r\nSHA256: d5397a05b745f64ab16ff921fb4571e9072b54437080bc9630047465e6b06a41\r\nFilenames associated with the Nuclear Ransomware Variant:\r\nHelp.hta\r\nNuclear BTCWare Ransomware Ransom Note Text:\r\nAll your files have been encrypted!\r\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you\r\nFree decryption as guarantee\r\nBefore paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archiv\r\nHow to obtain Bitcoins\r\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller b\r\nhttps://localbitcoins.com/buy_bitcoins\r\nAlso you can find other places to buy Bitcoins and beginners guide here:\r\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\r\nAttention!\r\nDo not rename encrypted files.\r\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can b\r\nEmails Associated with the Nuclear Ransomware:\r\nblack.world@tuta.io\r\nBundled Public RSA-1024 Keys:\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMwl0XpgillW5xCvuTbug+U+bVtZTaS0SRM+gNgaegG9PwsUXsxaqOLBg1zBxUxPcsJvUcQ/SKYWNsA49SIa\r\n-----END PUBLIC KEY-----\r\nhttps://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/\r\nhttps://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/"
	],
	"report_names": [
		"new-nuclear-btcware-ransomware-released-updated"
	],
	"threat_actors": [],
	"ts_created_at": 1775434454,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/256b49bc482d764faac5e95090a80c6bfb91f046.pdf",
		"text": "https://archive.orkl.eu/256b49bc482d764faac5e95090a80c6bfb91f046.txt",
		"img": "https://archive.orkl.eu/256b49bc482d764faac5e95090a80c6bfb91f046.jpg"
	}
}