Severity scale:  
  (98/100)

B2DR ransomware. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

B2DR –  a ransomware-type cyber threat that has been updated in June 2018

B2DR ransom note
B2DR is a file-encrypting virus that aims to swindle your money.

B2DR is a file-encrypting virus that uses AES-256 cryptography to lock various files on the targeted computer. This ransomware[1] has a few versions that append can be separated from each other by appended file extension. Currently, malware appends one of four suffixes: .setimichas1971@protonmail.com.b4wq, .bronmerkberpa1976@protonmail.com.b2dr, .reycarnasi1983@protonmail.com.gw3w and .ssananunak1987@protonmail.com.b2fr. When data becomes useless, malware drops either ScrewYou.txt or readme.txt files with shady file recovery possibilities.

Summary
Name B2DR
Type Ransomware
Danger level High. Makes system changes, encrypts files
Cryptography AES-256
File extension

.reycarnasi1983@protonmail.com.gw3w; .bronmerkberpa1976@protonmail.com.b2dr; 
.setimichas1971@protonmail.com.b4wq;
.ssananunak1987@protonmail.com.b2fr.

Ransom note ScrewYou.txt; readme.txt
Distribution method Malicious spam emails, bogus software downloads, fake update installation, exploit kits.
To uninstall B2DR, install Reimage and run a full system scan

B2DR ransomware seems to be spread via malicious spam email attachments[2]. However, other distribution methods might be applied too. As soon as malware executable is dropped on the system, the virus modifies Windows Registry, installs harmful components and starts scanning the system looking for files to encrypt.

B2DR malware
B2DR malware displays ransom note soon after all files are encrypted.

B2DR virus targets commonly used files to cause more damage to the users and urge them to pay the ransom. Malware makes files inaccessible by appending extension. However, the new file extension also has a contact email address – bronmerkberpa1976@protonmail.com.

In the ransom note called readme.txt, authors of B2DR ask to send them an email in order to learn how to get back access to corrupted files:

All your files are encrypted.
Ask how to restore your files by email bronmerkberpa1976@protonmail.com
Use only gmail.com, yahoo.com, protonmail.com.
Messages written from other mail services we can not get.
!!!With any changes to the encrypted files, do not forget to backup files!!!
Your ID: ***

According to malware researchers, crooks offer to decrypt three files smaller than 2MB before paying the demanded sum of money:

Hey. Archive any three files no larger than 2 mb.
Archive upload to http://sendspace.com and send us a link to the archive.
We will decrypt the files. Thank you.

However, security specialists do not recommend playing such games. Having a business with cybercriminals is never a good idea. Therefore, instead of giving your money to evil-minded people, you have to remove B2DR from the PC. Even though this procedure won’t bring back your files, but it ensures that you won’t lose your money.

Cybercriminals may never give you B2DR decryptor, but blackmail you into paying hundreds or even thousands of dollars. Though, these three files might be the only data you might retrieve. However, crooks might threaten to delete or leak personal information in order to get more money from you.

For this reason, you should decrease your loss by eliminating ransomware. After B2DR removal with Reimage or other malware elimination software, you can try to recover files using third-party software. There’s still a chance that some of them can be rescued.

Three new variants of B2DR emerged

Security researcher Michael Gillespie[3] discovered the new variant of B2DR ransomware in May 2018. The malware did not change much – even the ransom note name remained the same (Readme.txt). Nevertheless, the virus uses a different extension to encrypt files – .setimichas1971 @ protonmail.com.b4wq. Additionally, the contents of the ransom message vary from the original:

Your files were encrypted with AES-256. 

Ask how to restore your files by email setimichas1971@protonmail.com

Use only gmail.com, yahoo.com, protonmail.com. Messages written from other mail services we can not get.

We always respond to messages. If there is no answer within 24 hours, then write us with another email service. 
[OR] 
If within 24 hours you have not received a response, you need to follow the following instructions: 
a) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en 
b ) From the TOR browser, follow the link: torbox3uiot6wchz.onion 
c) Register your e-mail (the Up Sign) 
d) Write us on e-mail: setimichas1971@torbox3uiot6wchz.onion 
ATTENTION: e-mail (setimichas1971@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion 
################################ 
Any actions on your part over encrypted files can damage them. Be sure to make backups!
################################ 
In the message write us this ID:

The size of the ransom is unknown but is most likely between 0.1 and 0.3 BTC. As with the original version, we do not recommend paying cybercrooks, as it can result not only in data but also money loss. Unfortunately, this variant of B2DR is not decryptable as well.

.setimichas1971@protonmail.com.b4wq second variant
B2DR ransomware receives new versions that appends.setimichas1971@protonmail.com.b4wq file extension.

In June 2018, another variant of B2DR ransomware emerged. It uses a new ransom note file “ScrewYou.txt” and a new extension containing the contact email “.reycarnasi1983@protonmail.com.gw3w”. However, cyber criminals still provide the same recovery instructions and urge to pay the ransom. The size of the payment is still unknown, but we do not recommend having business with crooks. It's better to eliminate the virus.

A couple of days later, researchers reported that malware started using .ssananunak1987@protonmail.com.b2fr file extension too. Different than the previous one, this variant provides data recovery instructions in Readme.txt file. Though, the situation remains the same. Victims are asked to contact them and pay the ransom. One more time we want to remind that it's not recommended to do.

Obfuscated email attachments might contain ransomware payload

Ransomware executable usually spreads as obfuscated spam email attachment. The payload might look like Word, PDF, ZIP or other legit file or archive. The letter itself might look like sent from the official organization or popular company. Though, inattentive computer users can be quite easily tricked and let a file-encrypting virus into the system.

However, security specialists from faravirus.ro[4] tell that suspicious emails are not the only way malware might sneak into the device. Malware might also be installed in the following ways:

  • clicking malicious ads;
  • installing bogus programs or software updates;
  • downloading illegal programs, music, movies or other content;
  • by exploiting security vulnerabilities.

Instructions for B2DR ransomware elimination

B2DR removal requires employing strong and updated anti-malware tool. However, malware might block security software and prevent simple elimination. The good news is that ransomware can be disabled by booting to Safe Mode with Networking.

Then, you can install Reimage, Malwarebytes Malwarebytes, Plumbytes Anti-MalwareNorton Internet Security or your preferred anti-malware software and remove B2DR automatically. After that, you can use backups or try alternative recovery solutions. You can find our suggestions below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove B2DR ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall B2DR ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing B2DR ransomware (2018-06-14)
Malwarebytes
We have tested Malwarebytes's efficiency in removing B2DR ransomware (2018-06-14)
Hitman Pro
We have tested Hitman Pro's efficiency in removing B2DR ransomware (2018-06-14)
Malwarebytes
We have tested Malwarebytes's efficiency in removing B2DR ransomware (2018-06-14)

To remove B2DR virus, follow these steps:

Remove B2DR using Safe Mode with Networking

Follow these steps to disable the virus and run automatic elimination:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove B2DR

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete B2DR removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove B2DR using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of B2DR. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that B2DR removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove B2DR from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by B2DR, you can use several methods to restore them:

Try Data Recovery Pro after B2DR ransomware attack

This tool can recover corrupted files and might be useful after ransomware attack. Though, we cannot promise that it brings back all of the data.

Try Windows Previous Versions feture

This method can help to recover individual files if System Restore was enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might recover files with .b2dr extension

In order to recover files with ShadowExplorer, you have to make sure that malware did not delete Shadow Volume Copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

B2DR decryptor is not available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from B2DR and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References