Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Bitmessage Ransomware and Restore .Bleep Encrypted Files

bitmessage-ransomware-main-sensorstechforumBleep, .1999, .0x0, .fu*k – these are the file extensions used by the nasty Bitmessage ransomware virus that encrypts the files on the computers it infects and asks 2,5 BTC to decrypt them. After encryption, the files become unable to be opened because they are encoded with a very powerful AES-256 encryption algorithm. Users who have been infected with the virus are strongly advised not to pay any ransom money and wait for a decrypter to be released. In the meantime, you should remove the ransomware using the instructions in this article, and you may try our alternative suggestions to restore your data.

Threat Summary

Name Bitmessage Virus
Type Ransomware
Short Description The ransomware encrypts files with the AES-256 cipher and asks a ransom for decryption.
Symptoms Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as several txt files.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Bitmessage Virus

Download

Malware Removal Tool

User Experience Join our forum to Discuss Bitmessage Ransomware.

Bitmessage Ransomware – How Is It Spread

To infect users, Bitmessage has been reported to use spam e-mail messages to distribute its payload. This can happen either via a Malicious URL or via a malicious e-mail attachment. Such can be featured in e-mails whose topics resemble services which are widely used, for example:

  • “Your FedEx Delivery.”
  • “Confirm your order.”
  • “Your receipt.”
  • “PayPal: Your Account Has Been Suspended”
  • “Your BestBuy order has been delivered.”

Such e-mails may either contain malicious links or attachments which can contain:

  • Malicious JavaScript.
  • ExploitKits.
  • Obfuscated executables.

Users are also strongly advised against clicking on e-mails, which resemble the following sample:

spam-email-sensorstechforum

Bitmessage Ransomware In Detail

Upon execution on the infected computer, Bitmessage may create a malicious file in one of the following Windows folders:

  • %AppData%
  • %Roaming%
  • %User’s Profile%
  • %Temp%
  • %Local%

After creating the malicious file, it may be executed and start scanning for the following files to encrypt them. The ransomware has been reported to look for files with the following file extensions to encrypt them:

→ .113 .1cd .3dm .3ds .3fr .3g2 .3gp .3pr .73b .7z .a3d .ab4 .abf .abk .ac2 .accdb .accde .accdr .accdt .acr .adb .aep .agd1 .ach .ai .ait .al .apj .apk .ark .arw .as4 .asf .asm .asp .asset .asvx .asx .ate .ati .avi .awg .azw .azw4 .b1 .bac .back .backup .backupdb .bak .bakx .bar .bay .bb .bc6 .bc7 .bck .bcm .bdb .bgt .big .bik .bin .bkf .bkp .blend .blob .bpw .bsa .c .cab .cas .cb7 .cbr .cbt .ccd .cdf .cdr .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cdx .ce1 .ce2 .cer .cf .cfp .cfr .cgm .cib .cls .cmt .con .cpi .cpp .cpt .cr2 .craw .crt .crw .cs .csh .csl .css .csv .ctb .d3dbsp .dac .das .dat .data .db .db0 .db3 .dba .dbf .dc2 .dc3 .dcr .dcs .ddrw .dds .der .des .desc .design .dgb .dgc .dicom .divx .djvu .dmg .dmp .dng .doc .docm .docx .dot .dotm .dotx .drf .drw .dt .dta .dtaus .dtd .dwfx .dwg .dxb .dxf .dxg .edi .eml .emlx .epk .eps .epub .erbsql .erf .esm .exf .fb2 .fbf .fbk .fbw .fbx .fdb .ffd .fff .fh .fhd .fla .flac .flv .forge .fos .fpk .fpx .fsh .fxg .gbk .gdb .gho .gif .gpx .gray .grey .gros .gry .h .hbk .hkdb .hkx .hplg .hpp .htm .html .hvpl .hxi .hxq .hxr .hxs .hxw .chi .chm .chq .chw .ibank .ibd .ibz .icxs .idx .iff .img .inc .incpas .iso .itdb .itl .itm .iv2i .iwd .iwi .jar .java .jpe .jpeg .jpg .js .kc2 .kdb .kdbx .kdc .key .keystore .keystore .kf .kpdx .layout .lbf .ldf .lic .lit .litemod .lrf .ltx .lua .lvl .m .m2 .m2v .m3d .m3u .m4a .m4v .map .max .mcmeta .mdb .mdbackup .mdc .mddata .mdf .mds .mef .menu .mfw .mkv .mlx .mmw .mobi .model .moneywell .mos .mov .mp3 .mp4 .mpeg-1 .mpeg-2 .mpeg-4 .mpg .mpg .mpq .mpqge .mrw .mrwref .msg .myd .nbd .ncf .nd .ndd .nef .netcdf .nk2 .nop .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .ntl .nwb .nx1 .nx2 .nyf .oab .obj .odb .odc .odf .odg .odm .odp .ods .odt .orf .ost .otg .oth .otp .ots .ott .p12 .p7b .p7c .pab .pak .pas .pat .pcd .pct .pdb .pdb .pdd .pdf .pef .pem .pfx .php .pkpass .pl .png .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .prf .prproj .ps .psafe3 .psd .psk .pst .ptx .pub .pwm .py .pz3 .qba .qbb .qbm .qbo .qbr .qbw .qbx .qby .qdf .qfx .qic .qif .qt .qvw .s3db .sav .sb .sbs .sd0 .sd1 .sda .sdf .sdxf .shtm .shtml .sid .sidd .sidn .sie .sis .sldasm .sldm .sldprt .sldx .slm .sln .sn1 .sna .snx .spf .sql .sqlite .sqlite3 .sqlitedb .sr2 .srf .srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stw .stx .sub .sum .suo .svg .swf .swm .sxc .sxd .sxg .sxi .sxm .sxw .t12 .t13 .tar .tax .tbl .tex .tga .tib .tis .tlg .trn .txt .upk .vcf .vdf .vfs0 .vob .vob .vpk .vpp_pc .vtf .w3x .wab .wallet .wav .wbb .wbcat .wdb .wif .wim .win .wma .wmo .wmv .wpd .wps .x3f .xar .xf .xla .xlam .xlk .xll .xlm .xlr .xls .xlsb .xlsk .xlsm .xlsx .xlt .xltm .xltx .xlw .xmi .xml .ycbcra .yuv .z .zip .ztmp

The encrypted files are unable to be opened, because their code is changed to an AES-256 enciphered one. This type of encryption is one of the strongest, and the only method to crack it quickly is to find a flaw in the virus itself.

The encrypted files have one of the following file extensions:

  • .bleep
  • .1999
  • .0x0
  • .fu*k

Encrypted files may look like this:

encrypted-files-bitmessage-sensorstechforum

After encryption, Bitmessage ransomware adds the following files:

  • FILESAREGONE.TXT – A ransom note with the demands by the cyber-criminals.
  • READTHISNOW !!!. TXT – A ransom note with instructions about paying the ransom.
  • IHAVEYOURSECRET.KEY – A file containing a private or a public AES key without which you cannot unlock your files.
  • Secret.key, Secret.key2 – other .key files.

The ransom note feature in the FILESAREGONE.TXT is the following:

→ “Hello.
All your files have been encrypted using our extremely strong private key. There is no way to recover them without our assistance. If you want to get your files back, you must be ready to pay for them. If you are broke and poor, sorry, we cannot help you. If you are ready to pay, then get in touch with files-are-gone-txt-sensorstechforum
us using a secure and anonymous p2p messenger. We have to use a messenger, because standard emails get blocked quickly and if our email gets blocked your files will be lost forever.
Go to http://bitmessage.org/, download and run Bitmessage. Click Your Identities tab > then click New > then click OK (this will generate your personal address, you need to do this just once). Then click Send tab.
TO: {Unique ID}
SUBJECT: name of your PC or your IP address or both.
MESSAGE: Hi, I am ready to pay.
Click Send button.
You are done.
To get the fastest reply from us with all further instructions, please keep your Bitmessage running on the computer at all times, if possible, or as often as you can, because Bitmessage is a bit slow and it takes time to send and get messages. If you cooperate and follow the instructions, you will get all your files back intact and very, very soon. Thank you.”

The instructions in the READTHISNOW.txt file are the following:

→ “Hello.
All your files have been encrypted using our private key. There is no way to recover them without our assistance.
If you want to get your files back, you must be ready to pay for them. If you are ready to pay then follow the instructions: readthisnow-txt-sensorstechforum
1) Create an archive (rar or zip) with 3 files inside: Secret.key + Secret.key2 (should be on your desktop) + Any encrypted file of a small size. It can be a .doc or .pdf or .xls or whatever you have. 5 mb max. Note that this file should have this extention: .0x0; please don’t put more than one file in the archive, one file is enough. If you can’t find Secret.key2, that’s OK. It will take just a little bit more time to restore your files, so you shouldn’t worry.
2) Upload this archive to any file sharing site. Dropbox, Google Drive, sendspace.com etc.
3) Go to http://bitmessage.org/ and download Bitmessage.
4) Run Bitmessage. Select ‘Your Identities’ tab. Then click New. Then click OK. Then select ‘Send’ tab.
TO: BM-%address% (this is our address)
SUBJECT: your PC name (Start -> Control Panel -> System)
MESSAGE: Link to the archive with three files in it. Then click ‘Send’.
You are done!
To get the fastest reply from us with all further instructions, please keep Bitmessage running on your computer all the time, if possible. If you cooperate and follow the instructions, you will get all your files back intact and very, very soon. Thank you.”

In addition to those, the ransomware may also modify the following registry key adding a setting for its malicious executable to run and encrypt files every time you boot Windows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Bitmessage ransomware may also delete the shadow copies of the infected computer, eliminating the file history if it is enabled. This is done by executing the following command:

→ vssadmin delete shadows /for={The targeted volume} /all

Not only this but unlike other ransomware viruses, this one uses a very particular contact service which includes messaging service, called Bitmessage which most likely uses encrypted communications. This Is a relatively new and interesting approach by cyber-criminals, and the number of viruses that have it has increased.

Remove Bitmessage Ransomware and Restore the Encrypted Files

To fully erase Bitmessage Ransomware from your computer, be sure to follow the step-by-step instructions below. They will help to deal effectively with the threat. If you are having issues removing this virus manually, we advise to automatically scan for and delete all its associated objects with an advanced anti-malware tool.

In addition to that, to try and restore your files, we have provided alternative solutions in step “3.Restore files encrypted by Bitmessage Virus” below. They may not be 100 percent effective, and you will most likely restore a small portion of your files, but it is a good alternative for until a decryptor is released. Make sure to follow this article for further updates about direct file decryption.

Manually delete Bitmessage Virus from your computer

Note! Substantial notification about the Bitmessage Virus threat: Manual removal of Bitmessage Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Bitmessage Virus files and objects
2.Find malicious files created by Bitmessage Virus on your PC
3.Fix registry entries created by Bitmessage Virus on your PC

Automatically remove Bitmessage Virus by downloading an advanced anti-malware program

1. Remove Bitmessage Virus with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Bitmessage Virus in the future
3. Restore files encrypted by Bitmessage Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • I think e-mails are the most common way for the Ransomwares to spread my system was hit by Petya Ransomware and I am sure that it came through an e-mail. So, is there any software that can detect a malicious e-mail.

    • Hello Sneha,

      You can use spam blocking software and spam filters. Spam filters are designed to identify and detect spam, and prevent it from reaching your inbox. Make sure to add a spam filter to your email. Gmail users can refer to Google’s support page.

      You can also consider installing an anti-ransomware tool: http://sensorstechforum.com/the-most-popular-free-anti-ransomware-tools/

      • Hello,
        Thanks for your help. It was useful to me.

        • shailesh

          hey pls give me strong solution

  • shailesh

    hi
    i want to encrypted photo recover raas Encrypted Files recover pls help me

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.