BBOO ransomware (Virus Removal Instructions) - Decryption Methods Included
BBOO virus Removal Guide
What is BBOO ransomware?
BBOO ransomware – the 205th variant of Djvu/STOP ransomware that is currently undecryptable
A BBOO ransomware is a dangerous cyber threat that can infiltrate computer systems through email spam, software cracks, hacked RDP, and OS flaws
BBOO ransomware, discovered by Michael Gillespie,[1] is a recent computer virus that has appeared from the Djvu ransomware family and employs the AES-256 cryptography algorithm for locking up all files discovered. When the malware scans the system for encryptable components and locks up all of them, the .bboo extension is attached to each filename. This is a sign that the data has been locked and reversing it will require another specific key.
Later on, ransomware places a ransom message named _readme.txt that comes in a Notepad blank and provides monetary demands in exchange for the decryption tool. Criminals ask for a starter price of $490 that needs to be transferred in Bitcoin cryptocurrency within 3 days.
However, if the victims do not manage to fit in this time limit, the ransom amount doubles to $980. Also, these people provide the helpmanager@firemail.cc and help manager@iran.ir email addresses for making contact. Keep in mind that this is just a way to convince you to pay the price faster and you should consider not doing it at all due to the risk of getting scammed.
According to VirusTotal information,[2] the malicious payload of ransomware has been detected by 50 different antivirus engines out of the total 72. Some of the detection names include Gen:Variant.Mikey.109427, Win32:CrypterX-gen [Trj], A Variant Of Win32/Kryptik.HAYC, Trojan-Ransom.Win32.Stop.kb, Trojan.MalPack.GS, Mal/Generic-S, and others.
Name | BBOO ransomware |
---|---|
Type | Ransomware virus/malware |
Discoverer | Michael Gillespie |
Encryption | Almost all files and documents are locked with the help of the AES-256 encryption cipher. After the encryption, the .bboo appendix is added to each filename |
Ransom note | The ransomware virus provides ransom demands and payment information via the _readme.txt message that is very similar for every Djvu ransomware version |
Ransom price | Criminals demand a $490 payment if the victim decides to pay within 3 days of time. However, if the user is late, the ransom price doubles up to $980 |
Crooks' contacts | Crooks provide helpmanager@firemail.cc and help manager@iran.ir email addresses for making contact and sending 1 simple file for free decryption if the victims want evidence of the decryption tool's existence |
Delivery | Ransomware payload can get distributed to the targeted Windows computer safety in a big variety of ways, including software cracked, hacked RDP, operating system flaws, and email spam |
Elimination | If you have been dealing with this ransomware lately, you have to get rid of it from the Windows device with the help of reliable antimalware software |
Fix tip | If you have discovered any damage that was made by the ransomware virus, you can try fixing things with FortectIntego |
Djvu ransomware has been releasing new versions rapidly and .bboo files virus is another one that has shown up at the start of February this year. The malware uses secret delivery techniques such as attacking the targeted computer system via email spam campaigns that pretend to be fake order delivery notifications from reliable companies such as FedEx, DHL, and others. Also, criminals often misuse the vulnerable configuration of RDPs and manage to enter the system remotely.
We have come to the conclusion that this ransomware mostly targets English-speaking users as the ransom note and all its instructions are written in the English language. This way criminals can target a wide range of people as English is the most popular language in the world. However, some other ransomware viruses operate by distributing the same ransom note in different languages depending on where the infected Windows computer system is located.
Once ransomware plants its malicious payload on the computer system, it starts altering the Windows Registry and Task Manager by adding malicious keys and processes to these directories. This way the malware assures that it is always launched during every computer boot process. Also, some executables allow the ransomware virus to repeatedly scan the system for encryptable files and documents to make sure that there are no components left unlocked.
You can recognize infection from the .bboo extension that it appends to all of the locked components. For example, if you held a file named report.docx, after the encryption, it would turn to report.docx.bboo. After that, the ransom note appears placed on your desktop and also might be included in every folder that has encrypted documents. Here, take a look at how the entire ransom-demanding note looks like in order to be able to recognize it:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-Oc0xgfzC7q
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
helpmanager@firemail.ccReserve e-mail address to contact us:
helpmanager@iran.irYour personal ID:
It is also known that this ransomware seeks to speed up the encryption process by locking up only the first 154kb of the affected file. Furthermore, the malware can lock up any types of documents that are stored not only on the system but also the data that is getting transferred through a remote drive. However, it is known that this ransomware virus does not touch any files and documents that are marked as .dll, .lnk, .ini, .bat, and .sys.
In addition, it skips various system-related folders such as %AppData%, %Windows%, %Program Files% so that the user would still be able to use the infected Windows computer system for activities such as making the demanded ransom payment, writing the cybercriminals, and so on. These people even offer to recover one simple file (that does not include any important information) for free in order to provide proof of the decryption tool's existence.
Ransomware might also aim to disable the antivirus software that is lurking on your computer system to prevent detection. So, if the malware is blocking your antimalware program, you might not receive any alerts from it when the infection process starts and proceeds. However, this type of feature will make the removal process difficult unless you diminish the malicious changes by booting your PC in Safe Mode with Networking.
Furthermore, ransomware might target your Shadow Volume Copies[3] and damage or erase them permanently via PowerShell commands. This type of process prevents users from employing third-party software that could help to recover some encrypted files if the Shadow Copies are safe. Additionally, the malware can destroy the Windows hosts file in order to prevent users from accessing cybersecurity-related websites and forums.
Is a file-encrypting cyber threat that uses the AES-256 cipher to lock up files and documents on the infected Window PC
When you remove BBOO ransomware from your Windows computer system, do not forget to eliminate the hosts file too, otherwise, the access can remain blocked. For the elimination process of the malware, you should use only reliable antimalware programs that are capable of dealing with such complex cyber threats. Also, if you have discovered any damage that was brought to your Windows device, try repairing the affected objects with FortectIntego.
Ransomware might infiltrate other malicious strings into the infected system by making it vulnerable to additional infections and opening the backdoors. STOP ransomware variants are known for the distribution of AZORult Trojan virus, so this version might also be capable of the same thing. If a trojan appears on your computer system, you are likely to experience multiple software damage, overuse of the CPU, data and monetary thefts, etc.
A little bit about file encryption and possible recovery techniques
Djvu ransomware variants sometimes employ offline encryption keys rather than online ones and we are going to explain the difference between them. When the targeted device is infected, the malware assures that it can successfully connect to a C&C server. If ransomware succeeds in this task, it employs and online key and starts locking up all the data found. Such keys differ for each victim and are held on remote servers that are accessible only for crooks.
However, if BBOO ransomware finds out that it cannot successfully connect to a Command and Control servers, it employs an offline tool that is the same for every victim. If you are not sure what type of key was used for the encryption, you should check your personal ID that is placed in the C:/SystemID/ directory in the PersonalID.txt text file. Stored keys that end with t1 are a sign that an offline key was used and you have chances of recovering at least some of your files.
Sadly, it is more possible that it uses online keys and you are likely to have some trouble with the data recovery process. Emsisoft experts have provided a Djvu decrypter that works for offline key versions and those other variants that were released before August 2019.[4] However, this does not mean that you have to rush to pay cybercriminals the demanded price that can reach even up to $980 if you are more than three days late.
Developers are orientated towards their own business and these people do not really care about the victims or their files. There is a big chance that you will get scammed by these people if you decide to pay them. They might provide you with a fake tool or give no key at all. Rather than taking such risk, go to the end of this article where you will find data recovery possibilities provided by our experts. If completed as required, these steps might be really helpful.
It is the 205th version of Djvu ransomware
Hacked RDPs and phishing emails are the main malware carriers
According to cybersecurity specialists from NoVirus.uk,[5] ransomware infections are delivered through various stealth techniques. However, one of the most popular ransomware distribution sources is email spam. Phishing messages often come with attachments or hyperlinks that carry the malicious payload. Crooks often pretend to be from reliable companies and carry banking details, canceled flight notices, order information, ticket processing, and similar.
If you have received a bogus email and you are not sure where it has come from, better delete it and definitely do not open any attached files. If you have already downloaded the document, do not open it without performing a thorough malware scan first. Also, you should check for possible grammar mistakes in the email message as all reputable companies would make sure that their notifications are delivered without any mistakes in them.
Furthermore, ransomware-related payload can fall into the computer system through hacked RDPs, for example, the TCP port 3389. Criminals look for RDP that includes easy-guessable passwords or has not security codes at all. This way hackers are able to break through the very weak security barrier and install ransomware on the device remotely.
However, ransomware infections can also arrive through cracks of software that are loaded on peer-to-peer websites such as The Pirate Bay, eMule, BitTorrent. Also, malware developers can exploit various system flaws that are related to the operating system, web browsers, services such as Microsoft Office, and all types of third-party apps.
You should avoid downloading products, services, and software from unknown sources as there is a high risk of malware infection. Get all of your things from reliable developers and their official web pages. Continuously, make sure that all of your software, OS, and other services are always updated to avoid possible flaws. Last but not least, make sure to employ reliable antimalware software that will scan your Windows computer system once in a while and provide malware protection.
Tips on ransomware removal process
Ransomware removal is the first step that you should complete if you want to free your Windows computer from the dangerous infection and have a chance of recovering at least some of your files. You should employ a reliable antimalware program that will complete the entire job for you, search your whole computer system for malicious products and make sure that the malware is gone together with all the additional content that it has brought.
When you remove ransomware from your device, it is time to search for possible damage. You can try using software such as SpyHunter 5Combo Cleaner or Malwarebytes for discovering the corrupted areas. When the results come, you can try repairing the performed damage with the help of FortectIntego. Afterward, you can continue with data recovery techniques that are provided at the end of this article. Make sure to complete each step as required to achieve the best results possible.
Getting rid of BBOO virus. Follow these steps
Manual removal using Safe Mode
To diminish all of the malicious changes on your Windows operating system that were performed by the ransomware virus, apply the following steps and boot your computer in Safe Mode with Networking
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove BBOO using System Restore
To deactivate the ransomware virus and disable all malicious settings on your Windows device, you should reboot your machine via System Restore. If you do not know how to do this, follow the below-provided guide
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of BBOO. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove BBOO from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts..bboo files are a sign that ransomware virus has made an impact on your files and documents. Rather than risking to get scammed by paying the ransom, you should try out the following data recovery techniques.
If your files are encrypted by BBOO, you can use several methods to restore them:
Employ Data Recovery Pro to restore some files
If the ransomware virus has locked your files and documents, you might have a chance of bringing them back to their previous positions with the help of this software. Complete all the steps as required to succeed at your best.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by BBOO ransomware;
- Restore them.
Using Windows Previous Versions feature might allow you to recover data
If you have booted your computer via System Restore in the past, this method might help you to restore at least some of your files.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Shadow Explorer is a piece of software for file recovery
You can try restoring your files back to normal with this tool. However, make sure that the ransomware virus did not destroy the Shadow Volume Copies of your encrypted files, otherwise, this method might not work.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Currently, cybersecurity experts are still working on the decryption tool.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from BBOO and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.
- ^ Michael Gillespie. @demonslay335. #STOP #Djvu #Ransomware w/ extension ".bboo". Twitter. Social Platform.
- ^ 50 engines detected this file. VirusTotal. Detections.
- ^ Shadow Copy. Wikipedia. The free encyclopedia.
- ^ Free Ransomware Decryption Tools. Emsisoft. Decryption tools.
- ^ NoVirus. NoVirus. Security and spyware news.