Obfuscated ransomware (Removal Guide) - updated Feb 2019

Obfuscated virus Removal Guide

What is Obfuscated ransomware?

Obfuscated ransomware – a decryptable cryptovirus which is also known as BigBobRoss

Obfuscated ransomwareObfuscated ransomware is a cryptovirus that focuses on getting money from its victims. You should never trust cybercriminals. Obfuscated ransomware belongs to the family of file-encrypting malware that infiltrates the system using malicious documents attached to the legitimate-looking email. This notorious cyber threat is also known by another name – BigBobRoss. However, ransomware payload is launched right after you open it and download the file that contains malware script, for example, bedoneupx.exe,[1] to the system. Once this file is launched, your data gets encrypted and all encoded files are marked with .obfuscated or .[id=] appendix. This is the first stage of the cryptovirus attack. Additionally, the malware drops a ransom message Read Me.txt on the screen which states about the encrypted data and how to pay the ransom for the alleged file recovery. Do not trust the test decryption that is offered in this ransom note because contacting cybercriminals supposedly will not give you any value. In fact, both of the virus's versions are decryptable.

Name Obfuscated ransomware
Type Cryptovirus
Also known as BigBobRoss
Danger LEVEL High. This virus locks all found files, gladly, they can be recovered
Ransom note Read Me.txt
Contact email bigbobross@protonmail.com
Main executable bedoneupx.exe
File extension .obfuscated, .[id=]
Distribution method Spam email attachments
Elimination Use FortectIntego for Obfuscated ransomware removal, then recover your files by contacting Michael Gillespie.

Obfuscated ransomware virus can also be called BigBobRoss ransomware due to the contact email left in the ransom note — bigbobross@protonmail.com. There are also a few different payload versions discovered in the wild, but the danger behind the cyber threat remains the same. The most dangerous thing about the ransomware is the file encryption that affects the original code of your photos, audio files, documents, and even archives.

Unfortunately, when your files get the .obfuscated extension, you cannot open or use them. Keep in made, that Obfuscated ransomware can lock a big variety of data, including audio, video, image, text document, archive, virtual drive, template files. We recommend cleaning the system thoroughly and then focusing on the data recovery using backups because it is the safest way.

Obfuscated ransomware developers cannot be trusted because these people only care about your money and there is little to none possibility that encrypted files can be recovered.[2] Use a reputable anti-malware tool like FortectIntego, eliminate all threats including this cryptovirus and avoid the risk of getting scammed by the crooks.

For further information, Obfuscated ransomware developers also urge paying the ransom price in Bitcoins. They provide the users which a site where such cryptocurrency can be obtained. It is known that cybercriminals who demand ransom always ask for some type of cryptocurrency (Bitcoin mostly) in order to stay safe and untrackable.

When Obfuscated ransomware is done encrypting your files the ransom note Read Me.txt is displayed on the screen and has the following message:

Hello, dear friend!
1- [All your files have been ENCRYPTED!]

Your files are NOT damaged! Your files are modified only.
The only way to decrypt your files is to receive the decryption program.
your files can not be decrypted without the special program we made it for your computer.


To receive the decryption program Write to our email “BigBobRoss@computer4u.com”
and tell us your unique ID


Free decryption as guarantee.
We guarantee the receipt of the decryption program after payment.
To believe, you can give us 1 file that must be less than 1MB and we decrypt it for free.
File should not be important to you! databases, backups, large excel sheets, etc.

4- [ Instruction ]

the easiest way to buy bitcoins is LocalBitcoins site. you have to register, click “buy bitcoins”
and select the seller by payment method and price.


please do not change the name of files or file extension if your files are important to you!
Your unique ID :

Additionally to the first encryption function, Obfuscated ransomware can alter various parts of the system and change various settings:

  • modify Windows Registry Keys;
  • disable security programs;
  • delete shadow volume copies;[3]
  • add files to system folders;
  • run malicious processes in the Task Manager section.[4]

Since victims of Obfuscated ransomware have contributed to the analysis, there are a few versions of the same ransomware that can easily distribute around the world. However, the solution for most of the cryptovirus is the same – anti-malware tools and a full system scan. Expert-tested software is necessary for this process as the user himself/herself might cause even more damage while trying to delete the notorious infection on his/her own.

You need to remove Obfuscated ransomware using professional tools so that every related file can be deleted from the system entirely. Also, remember that the name of a threat may differ depending on the antivirus program you are using. You should follow the suggested steps of your anti-malware tool.

Obfuscated virusObfuscated ransomware is a file-encrypting cyber threat also known as BigBobRoss

We want to remind you that Obfuscated ransomware is a ransom-demanding virus and its developers cannot be trusted. Even though the crooks offer 1 file for free decryption to prove that the decryption key is real, there still is no need of contacting them. First of all, you risk being left with no money. Second, cybersecurity experts have already released a decryption tool for .obfuscated files.

Researchers[5] note that Obfuscated ransomware can be detected as:

  • TR/Encoder.cjfbq;
  • TR/Crypt.XPACK.Gen;
  • Trojan.Ransom.Filecoder;
  • Trojan.Heur.RP.7mqaaiAmoeki;
  • Win32:Malware-gen;
  • TR/FileCoder.iirhw;
  • Gen:Trojan.Heur.RP.7mqaaiAmoeki (B);
  • etc.

Make sure to check if the system is malware-free after the automatic Obfuscated ransomware removal. You can do so by scanning the device again or with an alternative antivirus tool. This way you can be sure that data backups can be used to restore encrypted files. If you have no backups and still want to recover locked data, check our tips below the article.

Obfuscated ransomware virusObfuscated ransomware cryptovirus delivers a ransom note in the text file containing payment instructions. It infects the system with the main executable bedoneupx.exe.

Email attachments help infect the system with malware

There are many other variants of ransomware-type threats that get on the network using Word, Excel or PDF documents attached to the email spam. This is a common technique used by malware developers and distributors. When the email poses as a legitimate notification from companies like PayPal, FedEx or Amazon people tend to open them without consideration.

However, when the email is opened, and the attached file downloaded, malicious script is automatically launched on the device. The payload might also inject the system via the direct link on the PDF file or the email itself. You can avoid the infiltration if you pay more attention to the content of your email box. You should delete suspicious emails or the ones you were not expecting to get in the first place.

Continuously, ransomware infections are commonly distributed thru unprotected networks such as Torrents and The Pirate Bay. While downloading certain applications, movies, and TV series from these websites, you take risks of infecting your computer system with malware. We suggest staying away from third-party sources and downloading content only from primary distributors.

Get rid of the Obfuscated ransomware virus during a thorough system clean

The main tip we can give you when dealing with Obfuscated ransomware virus is to employ professional programs designed to terminate threats like this. Reputable anti-malware gives you the advantage because it can indicate possible risks and remove them from the computer once and for all. Eliminating the cyber threat on your own, you risk causing more damage to your system.

Remove Obfuscated virus using FortectIntego or SpyHunter 5Combo Cleaner and scanning the system entirely. This should take less than 15 minutes, and your device is safe to use again. Remember, wait until the process is finished and do not forget to refresh your entire computer system after the elimination just to ensure that the cyber threat has been taken care of properly.

Note that you need to perform Obfuscated ransomware removal before any data recovery attempts so that your computer is clear and safe. If you plug in the external device with your file backups on the infected system, ransomware encrypts your data once again. So, make sure that you accomplish your goals as required.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Obfuscated virus. Follow these steps

Manual removal using Safe Mode

To disable Obfuscated ransomware, reboot the system to the Safe Mode with Networking:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Obfuscated using System Restore

System Restore feature may help when you want to get rid of ransomware faster:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Obfuscated. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Obfuscated removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Obfuscated from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Obfuscated, you can use several methods to restore them:

Data Recovery Pro is a good alternative when you have no backups

You can use Data Recovery Pro for accidentally deleted files too

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Obfuscated ransomware;
  • Restore them.

Windows Previous Versions feature helps when Obfuscated ransomware encrypts your important data

Windows Previous Versions can only be helpful when System Restore is enabled

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer for the file recovery

If the ransomware virus left Shadow Volume Copies untouched, you could recover data using ShadowExplorer

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Obfuscated ransomware decryptor is available

If you got infected with this ransomware virus, don't be scared because it seems that it is decryptable. For that, contact virus researcher Michael Gillespie.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Obfuscated and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions