[ MALWARE MUTEX INTELLIGENCE DATABASE ]
 ███████╗██╗   ██╗██╗██╗         ███╗   ███╗██╗   ██╗████████╗███████╗██╗  ██╗
 ██╔════╝██║   ██║██║██║         ████╗ ████║██║   ██║╚══██╔══╝██╔════╝╚██╗██╔╝
█████╗  ██║   ██║██║██║         ██╔████╔██║██║   ██║   ██║   █████╗   ╚███╔╝
██╔══╝  ╚██╗ ██╔╝██║██║         ██║╚██╔╝██║██║   ██║   ██║   ██╔══╝   ██╔██╗
 ███████╗ ╚████╔╝ ██║███████╗    ██║ ╚═╝ ██║╚██████╔╝   ██║   ███████╗██╔╝ ██╗
 ╚══════╝  ╚═══╝  ╚═╝╚══════╝    ╚═╝     ╚═╝ ╚═════╝    ╚═╝   ╚══════╝╚═╝  ╚═╝

Advanced Malware Analysis & Threat Intelligence

06:17:09
[ALL_FAMILIES]

BTCWare

ransomware1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:
BTCWare
CATEGORY:
RANSOMWARE
DESCRIPTION:
BTCWare PayDay is a variant of BTCWare ransomware discovered by security researcher Michael Gillespie. Once infiltrated, it encrypts stored files and appends filenames with extensions like '.[developer's_email]-id-***.payday'. The ransomware opens a browser window displaying ransom demands and drops a text file ('!! RETURN FILES !!.txt'). It typically demands between $500-$1500 in Bitcoin payments. The malware uses various email addresses including variations with [email protected], [email protected], and [email protected] domains.
ALIASES:
PayDayPayDay Ransomware
TAGS:
ransomwarefile_encryptionbitcoin_paymentemail_contactfile_extension_change

[MUTEX_SIGNATURES](1)

[MUTEX_01]
PAYDAYDAYPAY
ANALYST: @adhikara13 DATE: 2025-08-08
REFERENCES:
https://app.any.run/tasks/1d763bab-767d-4357-9905-8836c5812adc/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:
Unknown
FIRST_OBSERVED:
2021

[SIGMA_RULE]

[STATISTICS]
MUTEX_COUNT:1
THREAT_ACTORS:1
ALIASES:2
TAGS:5
CATEGORY:RANSOMWARE
 Malware profile loaded successfully 
 EvilMutex Project v1.0.0 
 Open Source Threat Intelligence Database 
[GITHUB][DOCS]