B2DR ransomware (updated Jun 2018) - Removal Instructions
B2DR virus Removal Guide
What is B2DR ransomware?
B2DR – a ransomware-type cyber threat that has been updated in June 2018
B2DR is a file-encrypting virus that aims to swindle your money.
B2DR is a file-encrypting virus that uses AES-256 cryptography to lock various files on the targeted computer. This ransomware[1] has a few versions that append can be separated from each other by appended file extension. Currently, malware appends one of four suffixes: .setimichas1971@protonmail.com.b4wq, .bronmerkberpa1976@protonmail.com.b2dr, .reycarnasi1983@protonmail.com.gw3w and .ssananunak1987@protonmail.com.b2fr. When data becomes useless, malware drops either ScrewYou.txt or readme.txt files with shady file recovery possibilities.
Summary | |
---|---|
Name | B2DR |
Type | Ransomware |
Danger level | High. Makes system changes, encrypts files |
Cryptography | AES-256 |
File extension |
.reycarnasi1983@protonmail.com.gw3w; .bronmerkberpa1976@protonmail.com.b2dr; |
Ransom note | ScrewYou.txt; readme.txt |
Distribution method | Malicious spam emails, bogus software downloads, fake update installation, exploit kits. |
To uninstall B2DR, install FortectIntego and run a full system scan |
B2DR ransomware seems to be spread via malicious spam email attachments[2]. However, other distribution methods might be applied too. As soon as malware executable is dropped on the system, the virus modifies Windows Registry, installs harmful components and starts scanning the system looking for files to encrypt.
B2DR malware displays ransom note soon after all files are encrypted.
B2DR virus targets commonly used files to cause more damage to the users and urge them to pay the ransom. Malware makes files inaccessible by appending extension. However, the new file extension also has a contact email address – bronmerkberpa1976@protonmail.com.
In the ransom note called readme.txt, authors of B2DR ask to send them an email in order to learn how to get back access to corrupted files:
All your files are encrypted.
Ask how to restore your files by email bronmerkberpa1976@protonmail.com
Use only gmail.com, yahoo.com, protonmail.com.
Messages written from other mail services we can not get.
!!!With any changes to the encrypted files, do not forget to backup files!!!
Your ID: ***
According to malware researchers, crooks offer to decrypt three files smaller than 2MB before paying the demanded sum of money:
Hey. Archive any three files no larger than 2 mb.
Archive upload to http://sendspace.com and send us a link to the archive.
We will decrypt the files. Thank you.
However, security specialists do not recommend playing such games. Having a business with cybercriminals is never a good idea. Therefore, instead of giving your money to evil-minded people, you have to remove B2DR from the PC. Even though this procedure won’t bring back your files, but it ensures that you won’t lose your money.
Cybercriminals may never give you B2DR decryptor, but blackmail you into paying hundreds or even thousands of dollars. Though, these three files might be the only data you might retrieve. However, crooks might threaten to delete or leak personal information in order to get more money from you.
For this reason, you should decrease your loss by eliminating ransomware. After B2DR removal with FortectIntego or other malware elimination software, you can try to recover files using third-party software. There’s still a chance that some of them can be rescued.
B2DR ransomware asks to contact crooks soon after file encryption.
Three new variants of B2DR emerged
Security researcher Michael Gillespie[3] discovered the new variant of B2DR ransomware in May 2018. The malware did not change much – even the ransom note name remained the same (Readme.txt). Nevertheless, the virus uses a different extension to encrypt files – .setimichas1971 @ protonmail.com.b4wq. Additionally, the contents of the ransom message vary from the original:
Your files were encrypted with AES-256.
Ask how to restore your files by email setimichas1971@protonmail.com
Use only gmail.com, yahoo.com, protonmail.com. Messages written from other mail services we can not get.
We always respond to messages. If there is no answer within 24 hours, then write us with another email service.
[OR]
If within 24 hours you have not received a response, you need to follow the following instructions:
a) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en
b ) From the TOR browser, follow the link: torbox3uiot6wchz.onion
c) Register your e-mail (the Up Sign)
d) Write us on e-mail: setimichas1971@torbox3uiot6wchz.onion
ATTENTION: e-mail (setimichas1971@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion
################################
Any actions on your part over encrypted files can damage them. Be sure to make backups!
################################
In the message write us this ID:
The size of the ransom is unknown but is most likely between 0.1 and 0.3 BTC. As with the original version, we do not recommend paying cybercrooks, as it can result not only in data but also money loss. Unfortunately, this variant of B2DR is not decryptable as well.
B2DR ransomware receives new versions that appends.setimichas1971@protonmail.com.b4wq file extension.
In June 2018, another variant of B2DR ransomware emerged. It uses a new ransom note file “ScrewYou.txt” and a new extension containing the contact email “.reycarnasi1983@protonmail.com.gw3w”. However, cyber criminals still provide the same recovery instructions and urge to pay the ransom. The size of the payment is still unknown, but we do not recommend having business with crooks. It's better to eliminate the virus.
A couple of days later, researchers reported that malware started using .ssananunak1987@protonmail.com.b2fr file extension too. Different than the previous one, this variant provides data recovery instructions in Readme.txt file. Though, the situation remains the same. Victims are asked to contact them and pay the ransom. One more time we want to remind that it's not recommended to do.
Obfuscated email attachments might contain ransomware payload
Ransomware executable usually spreads as obfuscated spam email attachment. The payload might look like Word, PDF, ZIP or other legit file or archive. The letter itself might look like sent from the official organization or popular company. Though, inattentive computer users can be quite easily tricked and let a file-encrypting virus into the system.
However, security specialists from faravirus.ro[4] tell that suspicious emails are not the only way malware might sneak into the device. Malware might also be installed in the following ways:
- clicking malicious ads;
- installing bogus programs or software updates;
- downloading illegal programs, music, movies or other content;
- by exploiting security vulnerabilities.
Instructions for B2DR ransomware elimination
B2DR removal requires employing strong and updated anti-malware tool. However, malware might block security software and prevent simple elimination. The good news is that ransomware can be disabled by booting to Safe Mode with Networking.
Then, you can install FortectIntego, SpyHunter 5Combo Cleaner, Malwarebytes or your preferred anti-malware software and remove B2DR automatically. After that, you can use backups or try alternative recovery solutions. You can find our suggestions below.
Getting rid of B2DR virus. Follow these steps
Manual removal using Safe Mode
Follow these steps to disable the virus and run automatic elimination:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove B2DR using System Restore
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of B2DR. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove B2DR from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by B2DR, you can use several methods to restore them:
Try Data Recovery Pro after B2DR ransomware attack
This tool can recover corrupted files and might be useful after ransomware attack. Though, we cannot promise that it brings back all of the data.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by B2DR ransomware;
- Restore them.
Try Windows Previous Versions feture
This method can help to recover individual files if System Restore was enabled before ransomware attack.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer might recover files with .b2dr extension
In order to recover files with ShadowExplorer, you have to make sure that malware did not delete Shadow Volume Copies.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
B2DR decryptor is not available yet.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from B2DR and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.
- ^ Margaret Rouse. Ransomware. TechTarget. The network of technology focused web sites.
- ^ Alison DeNisco Rayome. Report: Malicious email attacks jump 85% in Q3, ransomware reigns supreme. TechRepublic. News, tips, and advice for technology professionals.
- ^ Michael Gillespie. Twitter. Social network.
- ^ Faravirus. Faravirus. Romanian cyber security news.