The infection rates of Trojan.Ransomcrypt.X have increased once again. Because of the text displayed on the ransom message (‘Hi Buddy!’), the file-encrypting threat is also known as Buddy ransomware. Thus, in this article we will refer to the threat as Buddy ransomware.
|Short Description||The ransomware encrypts specific files and demands a ransom in BitCoins.|
|Symptoms||Files with certain extension are encrypted and a ransom message is displayed.|
|Distribution Method||Spam Emails, Email Attachments, Suspicious Sites|
|Detection tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Buddy Ransomware|
|User Experience||Join our forum to discuss Buddy Ransomware.|
We have seen Buddy ransomware be active in the beginning of January 2016, almost a month ago. Unfortunately, reports by users indicate that the ransomware is again attacking users and demanding more money than before. In January, Buddy ransomware was asking for approximately 0.32 BitCoins which equals around $130. Now, the ransomware authors are demanding 0.77756467 BitCoins which is close to $290. In terms of technical specifications, Buddy ransomware hasn’t changed a lot. Continue reading to learn more about the threat.
Buddy Ransomware Distribution Techniques
Buddy Ransomware, or Trojan.Ransomcrypt.X, is classified as a ransomware Trojan. This means that the threat is most likely downloaded to a computer alongside another program. One way you could have gotten Buddy ransomware is via freeware downloads, p2p communities, torrents.
Another distribution method typically employed by ransomware authors is spam. Spam campaigns often distribute malware. That being said, Buddy ransomware may have arrived to your computer in a malicious email attachment. Keep in mind that malicious code can be hidden within the email body and may not require opening the attachment. That is why employing anti-spam techniques is crucial to your online security.
Learn how to protect your computer from aggressive spam campaigns
Buddy Ransomware Technical Description
Needless to say, once Buddy ransomware is in the system, a file encryption process will be initiated. Nonetheless, the threat will first make sure to spread copies of its readme file with the ransom note inside. Then, the ransomware will modify a registry entry so that it loads with every reboot of Windows:
Other registry entries will also be altered, so that Windows Task Manager cannot be started:
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1”
In addition, Buddy ransomware also keeps track of the Windows Task Manager and its associated process and makes sure it is shut down.
In terms of encryption, Buddy ransomware is known to locate and encrypt files with the following extensions:
.asp, .aspx, .csv, .doc, .docx, .html, .jpg, .js, .mdb, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml
Once the files are encrypted, Buddy ransomware displays the ransom note and blocks the victim’s screen. Here is what the ransom note looks like:
Buddy Ransomware Removal and File Restoration Options
There are two ways to try and restore your files:
The easiest and most efficient way to restore your files encrypted by ransomware is Backups. Once you have removed all ransomware traces, you can use your backups to bring back your data.
- Shadow Volume Copies
Currently, there is no information if Buddy ransomware deletes Shadow Volume Copies from system. Once you have removed the threat completely, have a look at the 5th section of the instructions below the article.
Before you try anything, you should clean your system from all files associated with Buddy ransomware. The best way to do that is via anti-malware software.