Emsisoft releases a free decrypter for BigBobRoss Ransomware

  • March 10, 2019
  • 2 min read
Emsisoft releases a free decrypter for BigBobRoss Ransomware

Our research team has uncovered a new ransomware campaign we nicknamed BigBobRoss that seems to target Comcast Business users. Fortunately, our security experts were able to identify a flaw within the ransomware’s code that can be used to decrypt encrypted files without paying the ransom.

Update: The BigBobRoss decrypter has been updated for the extension ‘.encryptedALL’

Emsisoft BigBobRoss Decrypter

Do not pay the ransom!

Technical details

BigBobRoss is a ransomware written in C++ using QT. It uses AES-128 ECB to encrypt files, and adds the extension “.obfuscated”. Some variants also prepend the victim ID to the filename. The ransom note “Read Me.txt” asks the victim to contact “[email protected]”.

The ransom note contains the following text:

Hello, dear friend!
=================================================
1-   [All your files have been ENCRYPTED!]
Your files are NOT damaged! Your files are modified only.
The only way to decrypt your files is to receive the decryption program.
your files can not be decrypted without the special program we made it for your computer.
=================================================
2-  [ HOW TO RETURN FILES? ]
To receive the decryption program Write to our email “[email protected]
and tell us your unique ID
=================================================
3-  [ FREE DECRYPTION! ]
Free decryption as guarantee.
We guarantee the receipt of the decryption program after payment.
To believe, you can give us 1 file that must be less than 1MB and we decrypt it for free.
File should not be important to you! databases, backups, large excel sheets, etc.
=================================================
4-  [ Instruction ]
the easiest way to buy bitcoins is LocalBitcoins site. you have to register, click “buy bitcoins”
and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
=================================================
CAUTION!
please do not change the name of files or file extension if your files are important to you!
Your unique ID : [ID]

To use the decrypter, you will require one of the ransom notes left by the malware.

How to use the Emsisoft BigBobRoss Decrypter

  1. Download the Emsisoft BigBobRoss Decrypter.
  2. Run the executable and confirm the license agreement when asked.
  3. Click “Browse” and select the ransom note file on your computer. (Brute Force decryption is not required for this ransomware).
  4. Click “Start” to decrypt your files. Note that this may take a while.
  5. Finished!

 

 

Emsi

Emsi

Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next

Reader Comments