B2DR – a ransomware-type cyber threat that has been updated in June 2018

B2DR is a file-encrypting virus that uses AES-256 cryptography to lock various files on the targeted computer. This ransomware[1] has a few versions that append can be separated from each other by appended file extension. Currently, malware appends one of four suffixes: .setimichas1971@protonmail.com.b4wq, .bronmerkberpa1976@protonmail.com.b2dr, .reycarnasi1983@protonmail.com.gw3w and .ssananunak1987@protonmail.com.b2fr. When data becomes useless, malware drops either ScrewYou.txt or readme.txt files with shady file recovery possibilities.
| Summary | |
|---|---|
| Name | B2DR |
| Type | Ransomware |
| Danger level | High. Makes system changes, encrypts files |
| Cryptography | AES-256 |
| File extension |
.reycarnasi1983@protonmail.com.gw3w; .bronmerkberpa1976@protonmail.com.b2dr; |
| Ransom note | ScrewYou.txt; readme.txt |
| Distribution method | Malicious spam emails, bogus software downloads, fake update installation, exploit kits. |
| To uninstall B2DR, install FortectIntego and run a full system scan | |
B2DR ransomware seems to be spread via malicious spam email attachments[2]. However, other distribution methods might be applied too. As soon as malware executable is dropped on the system, the virus modifies Windows Registry, installs harmful components and starts scanning the system looking for files to encrypt.

B2DR virus targets commonly used files to cause more damage to the users and urge them to pay the ransom. Malware makes files inaccessible by appending extension. However, the new file extension also has a contact email address – bronmerkberpa1976@protonmail.com.
In the ransom note called readme.txt, authors of B2DR ask to send them an email in order to learn how to get back access to corrupted files:
All your files are encrypted.
Ask how to restore your files by email bronmerkberpa1976@protonmail.com
Use only gmail.com, yahoo.com, protonmail.com.
Messages written from other mail services we can not get.
!!!With any changes to the encrypted files, do not forget to backup files!!!
Your ID: ***
According to malware researchers, crooks offer to decrypt three files smaller than 2MB before paying the demanded sum of money:
Hey. Archive any three files no larger than 2 mb.
Archive upload to http://sendspace.com and send us a link to the archive.
We will decrypt the files. Thank you.
However, security specialists do not recommend playing such games. Having a business with cybercriminals is never a good idea. Therefore, instead of giving your money to evil-minded people, you have to remove B2DR from the PC. Even though this procedure won’t bring back your files, but it ensures that you won’t lose your money.
Cybercriminals may never give you B2DR decryptor, but blackmail you into paying hundreds or even thousands of dollars. Though, these three files might be the only data you might retrieve. However, crooks might threaten to delete or leak personal information in order to get more money from you.
For this reason, you should decrease your loss by eliminating ransomware. After B2DR removal with FortectIntego or other malware elimination software, you can try to recover files using third-party software. There’s still a chance that some of them can be rescued.

Three new variants of B2DR emerged
Security researcher Michael Gillespie[3] discovered the new variant of B2DR ransomware in May 2018. The malware did not change much – even the ransom note name remained the same (Readme.txt). Nevertheless, the virus uses a different extension to encrypt files – .setimichas1971 @ protonmail.com.b4wq. Additionally, the contents of the ransom message vary from the original:
Your files were encrypted with AES-256.
Ask how to restore your files by email setimichas1971@protonmail.com
Use only gmail.com, yahoo.com, protonmail.com. Messages written from other mail services we can not get.
We always respond to messages. If there is no answer within 24 hours, then write us with another email service.
[OR]
If within 24 hours you have not received a response, you need to follow the following instructions:
a) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en
b ) From the TOR browser, follow the link: torbox3uiot6wchz.onion
c) Register your e-mail (the Up Sign)
d) Write us on e-mail: setimichas1971@torbox3uiot6wchz.onion
ATTENTION: e-mail (setimichas1971@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion
################################
Any actions on your part over encrypted files can damage them. Be sure to make backups!
################################
In the message write us this ID:
The size of the ransom is unknown but is most likely between 0.1 and 0.3 BTC. As with the original version, we do not recommend paying cybercrooks, as it can result not only in data but also money loss. Unfortunately, this variant of B2DR is not decryptable as well.

In June 2018, another variant of B2DR ransomware emerged. It uses a new ransom note file “ScrewYou.txt” and a new extension containing the contact email “.reycarnasi1983@protonmail.com.gw3w”. However, cyber criminals still provide the same recovery instructions and urge to pay the ransom. The size of the payment is still unknown, but we do not recommend having business with crooks. It's better to eliminate the virus.
A couple of days later, researchers reported that malware started using .ssananunak1987@protonmail.com.b2fr file extension too. Different than the previous one, this variant provides data recovery instructions in Readme.txt file. Though, the situation remains the same. Victims are asked to contact them and pay the ransom. One more time we want to remind that it's not recommended to do.
Obfuscated email attachments might contain ransomware payload
Ransomware executable usually spreads as obfuscated spam email attachment. The payload might look like Word, PDF, ZIP or other legit file or archive. The letter itself might look like sent from the official organization or popular company. Though, inattentive computer users can be quite easily tricked and let a file-encrypting virus into the system.
However, security specialists from faravirus.ro[4] tell that suspicious emails are not the only way malware might sneak into the device. Malware might also be installed in the following ways:
- clicking malicious ads;
- installing bogus programs or software updates;
- downloading illegal programs, music, movies or other content;
- by exploiting security vulnerabilities.
Instructions for B2DR ransomware elimination
B2DR removal requires employing strong and updated anti-malware tool. However, malware might block security software and prevent simple elimination. The good news is that ransomware can be disabled by booting to Safe Mode with Networking.
Then, you can install FortectIntego, SpyHunterCombo Cleaner, MalwarebytesMalwarebytes or your preferred anti-malware software and remove B2DR automatically. After that, you can use backups or try alternative recovery solutions. You can find our suggestions below.
Was this guide helpful?
Be the first to comment