BDAT ransomware (virus) - Free Instructions

What is bDAT ransomware?

bDAT ransomware is a malicious program that attempts to extort money from innocent computer users

The bDAT virus is ransomware that specifically targets people and requests money from them. Upon entrance, it immediately infects the system and starts to encrypt all data using a complex encryption algorithm. Dharma – a malware family this threat belongs to) often employs AES, DES, or RSA^[1] encryption algorithms, depending on the version. This results in pictures, documents, databases, videos, and any other files receiving the .bDAT extension, along with cybercriminals' contact email and unique user ID.

From this point, whenever users would try to open bDAT files, they would instead receive a Windows error, which claims that the file type is not recognized, and attempts to open files with different applications would result in a failure every time. This is because a secure encryption algorithm is used, and only a precise key consisting of a long alphanumeric string would be able to unlock them.

bDAT ransomware then drops a ransom note titled info.txt, which shows a brief message with the contact email bkpdata@msgsafe.io. Users would also see a pop-up message which would include a much more detailed description of the attack. We recommend not communicating with cybercriminals and instead relying on alternative methods to restore encrypted data after eliminating the virus first.

The ransom note

The virus has its origins in the Dharma ransomware family, which made its debut in 2016. Since then, there have been hundreds of variations released by malware authors – many of which we have written about already, including Cyberpunk, Ash, Iq20, and many others. In fact, Dharma authors have released hundreds of variants so far, and while they may differ technically, their purpose remains the same – to extort money from users after encrypting their files.

Just like any other malware of this type, it attempts to make sure that users receive relevant information about the attack once it's done with the data-locking process. Thus, it immediately delivers a pop-up message which would be shown to every victim of ransomware. It reads:

YOUR FILES ARE ENCRYPTED
cyberpunk
Don't worry, you can return all your files!
If you want to restore them, write to the mail: bkpdata@msgsafe.io YOUR ID
If you have not answered by mail within 12 hours, write to us by another mail:bkpdata@onionmail.org
ATTENTION!
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

There is also a shorter version of this message, which can be viewed in a text file info.txt, and is dropped into several locations on a PC. This message only includes information about what happened to users' files and provides contact emails.

Regardless of which ransom note you view, we recommend avoiding any contact with cybercriminals. They may never fulfill their promises and never contact you again, even if you've paid the ransom. Alternatively, they might send you a decryptor that doesn't work, and there are no guarantees here – it's no shop where you can return faulty products.

How to remove bDAT ransomware correctly

It's normal to feel panicked when you can no longer access your files because ransomware has locked them, but this reaction cannot solve anything. In fact, panicking may cause victims to make more mistakes and lose even more data. To prevent additional damage, it is crucial to follow recovery steps in order.

1. Disconnect the system from the network and internet

To prevent your computer from communicating with the remote server that hackers are using to store a decryption tool and issue commands, sever its internet connection before you start recovery procedures.

• Type in Control Panel in Windows search and press Enter
• Go to Network and Internet
• Click Network and Sharing Center
• On the left, pick Change adapter settings
• Right-click on your connection (for example, Ethernet), and select Disable
• Confirm with Yes.

2. Scan with anti-malware

Ransomware can sometimes delete itself after encrypting your files, but this doesn't mean it's completely gone. Other modules may still be present that could steal data or work together with other malicious programs on your device.

SpyHunter 5Combo Cleaner or Malwarebytes can locate and delete all ransomware-related files, additional modules, and any other malware that might be present on your system. The security software is easy to use – you don't need any IT experience – and it's been successful in removing malware. If the process of removing the malware is being disrupted, you should follow these instructions to access Safe Mode and perform the removal from there:

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on the Start button and select Settings.
   
2. Scroll down to pick Update & Security.
3. On the left side of the window, pick Recovery.
4. Now scroll down to find the Advanced Startup section.
5. Click Restart now.
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.

3. Attempt to restore your files without paying

There is a common misconception that security software will automatically restore all personal files to their original state. This is untrue. The primary purpose of anti-malware software is removing infected files from the system in order to avoid any future issues, not restoring files that have been encrypted by ransomware – it's simply a completely different mechanism.

There is also a group of victims who believe that their files have been permanently damaged by malware. While this is not impossible (wipers^[2] are known to do so), most ransomware simply locks files behind a complex key, which is only accessible to cybercriminals. Without it, restoring .bDAT files may be almost impossible.

However, we recommend trying alternative methods which may be useful for some users. First off, attempt to run third-party recovery software:

• Download Data Recovery Pro.
• Double-click the installer to launch it.
  
• Follow on-screen instructions to install the software.
• As soon as you press Finish, you can use the app.
• Select Everything or pick individual folders which you want the files to be recovered from.
• Press Next.
• At the bottom, enable Deep scan and pick which Disks you want to be scanned.
• Press Scan and wait till it is complete.
• You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
• Press Recover to retrieve your files.

Your other option is to wait for security researchers and security companies to create a free decryption tool. This usually happens when a flaw is discovered within the malware's encryption code or when the authorities seize the servers owned by cybercriminals. Note that this may or may not happen in the future, although we recommend following these links in the search for a decryptor for bDAT ransomware:

• No More Ransom Project
• Free Ransomware Decryptors by Kaspersky
• Free Ransomware Decryption Tools from Emsisoft
• Avast decryptors

4. Fix system crashes and other stability issues

Malware is a complex program that circumvents in-built security and alters Windows' behavior. Some system components may be unintentionally damaged during an infection, which can cause software or the computer itself to crash with BSODs^[3] or display errors. This is more common after malware has been removed from the affected machine since antivirus software can't repair corrupted system files caused by malware. Thus, we recommend you use an automatic solution that would remediate your system and remove any damage done by ransomware:

• Download FortectIntego
• Click on the ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.