Bisamware ransomware encrypts users' data and asks them to pay for decryption

Bisamware ransomware is a new strain detected by security vendors. When the virus infiltrates the victims' devices it almost immediately starts the encryption[1] process using complicated algorithms. The affected files get appended with the .BISAMWARE extension, so for example, if a file was previously named picture.jpg after the encryption is complete, it would look like this – picture.jpg.BISAMWARE.
The icons also change to blank pages so you cannot see the content even in preview mode. If you try to open the damaged files, a prompt appears saying that Windows is unable to open the file. Shortly after, a ransom note SYSTEM=RANSOMWARE=INFECTED.TXT is generated on the user's PC to inform them of what has happened and what they should do if they want to recover the files.
| NAME | Bisamware |
| TYPE | Ransomware, cryptovirus, data locking malware |
| FILE EXTENSION | .BISAMWARE |
| RANSOM NOTE | SYSTEM=RANSOMWARE=INFECTED.TXT |
| DISTRIBUTION | Infected email attachments, peer-to-peer file sharing platforms, torrents, malicious ads |
| FILE RECOVERY | It is next to impossible to recover the files if you do not have backups or the decryption keys were not leaked; in some cases, recovery is successful with third-party software |
| ELIMINATION | Scan your machine with anti-malware software to eliminate the virus safely; this will not recover the locked files |
| SYSTEM FIX | You can avoid windows reinstallation with FortectIntego maintenance tool, which can fix damaged files and system errors |
The ransom note
The full SYSTEM=RANSOMWARE=INFECTED.TXT ransom note reads as follows:
==============RANSOMWARE NOTE==============
YOUR SYSTEM GOT INFECTED WITH A RANSOMWARE
CONTACT US DOWN BELOW AT OUR TOR ONION LIVE CHAT SYSTEM FOR DECRYPTION HELP
IF YOU “DONT” WANT THE FILES BACK – RESET YOUR PC
100% DECRYPTION AFTER PURCHASE OF DECRYPTION KEY – ONLY WE HAVE IT IN OUR DATABASE
TOR CHAT UNIQUE URL: –
YOU CAN CALL THE COPS – YOU CAN CALL ANY MASTER TECHNICAL SOFTWARE DEVELOPER BUT IT WONT HELP
WE ARE SPECIALIZED TO TARGET COMPANIES – THERE IS NO WAY TO RECOVER YOUR FILES WITHOUT GETTING THE DECRYPTION KEY
==============REQUIREMENTS==============
+TOR BROWSER TO ACCESS OUR TOR CHAT DOWNLOAD at hxxps://www.torproject.org/download/
+BITCOINS PURCHASE AT hxxps://www.blockchain.com/ , or hxxps://www.coinbase.com/ , or hxxps://www.binance.com/ , or hxxps://localbitcoins.com/
+WATCH TUTORIAL HOW TO BUY BITCOINS AT hxxp://yfoj3s7ov6e3k7pboeumnj6r*****.onion/how_to_purchase_bitcoins.mp4 , or hxxps://www.youtube.com/watch?v=MIUQnVHh9rU
The developers of Bisamware ransomware are demanding that victims pay a ransom to have their data returned, preferably in cryptocurrency[2] form – specifically Bitcoin. Cybercriminals often choose cryptocurrency as payment because it is anonymous and difficult to trace.
It is highly advised not to contact cybercriminals, much less pay them, because they cannot be trusted. Many past ransomware victims have come forward and claimed that they never received the promised decryption tools after paying for them. Furthermore, it's impossible to retrieve cryptocurrencies once you send them to another wallet.

Distribution methods
The most typical way that ransomware is introduced is through an executable file (.exe) that has been stored in a zip folder, embedded within a Microsoft Office document's macros, or disguised as a fax or other viable attachments. This generally happens as a result of user carelessness and lack of knowledge about digital threats.
Many people enjoy using pirate download sites and obtaining “cracked” software.[3] Torrent sites, peer-to-peer file sharing, and freeware platforms are ideal breeding grounds for all sorts of malware. When you use these websites, you have no way of knowing if the program you're downloading is safe. It's preferable to utilize official web stores and developer sites. Even though it might be more expensive in the short term, you may save money in the long term by keeping your system running smoothly.
Unfortunately, cybercriminals often fool people into downloading their harmful software by making it look trustworthy. For example, they may create an email that resembles a message from a legitimate and well-known company. These emails usually contain malicious links or attachments which, once opened, start the infection process.
Another popular way that users get infected with ransomware is by not having the latest security patches for their software. Software vulnerabilities can be exploited to install malicious programs, however, developers regularly release updates to prevent such attacks.
Remove malicious files
The important thing to do is disconnect the affected machine from the local network. For home users, disconnecting the ethernet cable should do the job. If this happened at your workplace, doing that might be complicated, so we have instructions for corporate environments at the bottom of this post.
If you try to recover your data first, it can result in permanent loss. It can also encrypt your files the second time. It will not stop until you remove the malicious files causing it first. You should not attempt removing the malicious program yourself unless you have experience.
Use anti-malware tools like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to scan your system. This security software should find all the related files and entries and remove them automatically for you. In some cases, malware is not letting you use antivirus in normal mode, so you need to access Safe Mode and perform a full system scan from there:
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.

Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.

- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.

- Select Troubleshoot.

- Go to Advanced options.
- Select Startup Settings.
- Click Restart.
- Press 5 or click 5) Enable Safe Mode with Networking.

What to do with the damaged operating system?
Performance, stability, and usability issues, to the point where a full Windows reinstall is required, are expected after a malware infection. These types of infections can alter the Windows registry database, damage vital bootup, and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by malware, antivirus software is not able to repair it.
This is why FortectIntego was developed. It can fix a lot of the damage caused by an infection like this. Blue Screen errors,[4] freezes, registry errors, damaged DLLs, etc., can make your computer completely unusable. By using this maintenance tool, you could avoid Windows reinstallation.
- Download the application by clicking on the link above
- Click on the ReimageRepair.exe
- If User Account Control (UAC) shows up, select Yes
- Press Install and wait till the program finishes the installation process
- The analysis of your machine will begin immediately
- Once complete, check the results – they will be listed in the Summary
- You can now click on each of the issues and fix them manually
- If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

Try recovering your files with third-party software
Only hackers hold the decryption key, which can unlock your files, so if you did not back them up previously, you possibly lost your files forever. You can try using data recovery software, but third-party programs cannot always decrypt the files. We suggest at least trying this method. Before proceeding, you have to copy the corrupted files and place them in a USB flash drive or another storage. And remember – only do this if you have already removed the Bisamware ransomware.
Before you begin, several pointers are important while dealing with this situation:
- Since the encrypted data on your computer might permanently be damaged by security or data recovery software, you should first make backups of it – use a USB flash drive or another storage.
- Only attempt to recover your files using this method after you perform a scan with anti-malware software.
Install data recovery software
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.

- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders where you want the files to be recovered from.

- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.

- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.

Recommended security measures
- Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to the installation of ransomware.
- Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents, and URLs in emails delivered to user computers.
- Monitoring tools can detect unusual file access activities, viruses, network C&C traffic, and CPU loads just in time to prevent ransomware activation.
- Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools, can analyze applications on users’ devices and immediately alert them about any applications that might compromise the environment.
Was this guide helpful?
Be the first to comment