The B2dr virus is a newly discovered ransomware that appears to be an original invention and not based on any of the known malware families. It targets sensitive user data, encrypts it with the .b2dr extension and extorts the victims for a ransom restore fee.
|Short Description||B2DR virus is a typical ransomware that follows the classic infection behavior pattern by encrypting target files with the .b2dr extension.|
|Symptoms||Computer users will be unable to access their data which is encrypted with the .b2dr extension.|
|Distribution Method||Spam Emails, File Sharing Networks, Exploit Kits|
|Detection Tool|| See If Your System Has Been Affected by B2DR |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss B2DR.|
B2DR Virus – Infection Spread
The B2DR virus is a newly devised that at the moment is being delivered using different mechasnisms. The attack campaigns are still ongoing and at the moment the researchers are unable to judge which is the primary method. It is likely that the most popular strategies are employed.
Email spam messages are among the most preferred payload delivery mechanisms. Almost all of them utilize some sort of social engineering tricks that attempt to coerce the users into infecting themselves with virus. A common tactic is to insert a malware hyperlink into the body contents posing as a legitimate site. The hackers behind the B2DR virus distribution tytpically take contents from famous sites (text and graphics) which is placed in the messages. The other option is to attempt to infect the victims by attaching the samples directly to the messages. Two other ways are the following:
- Malware Documents — The criminals can embed the virus files into documents of various types: spreadsheets, rich text documents and presentations. Once they are opened a notification prompt appears which asks the victims to execute the built-in scripts. If this is done the infection is downloaded from a hacker-controlled site.
- Software Installers — The B2DR virus can be bundled into setup files taken from their official vendors. Usually the criminals target popular apps and games which are then distributed using different methods.
The criminals can also opt to use browser hijackers. They represent malware plugins that are made for the most popular web browsers: Google Chrome, Internet Explorer, Safari, Microsoft Edge and Opera. They are frequently distributed on the relevant browser repositories and use fake developer credentials and user reviews to manipulate the victims into installing them. Once placed on the computers they often redirect the victims to a hacker-controlled page by modifying default settings (new tabs page, home page and search engine).
Using various web scripts the B2DR virus can also be loaded via all manners of pop-ups, banners and etc.
B2DR Virus – Technical Data
The security analysis of the B2DR virus shows that it is not a descendant or a customized version of any of the famous malware families. This means that it is very likely that it has been made by its creator(s) — an individual hacker or a criminal collective.
The malware engine seems to follow a basic behavior pattern. Future versions of it can implement various changes to enhance the threat’s severity. An example component would to be add a stealth protection module. It would launch itself right after the virus has compromised the system and scan it for any applications that can interfere with its correct execution (anti-virus programs, sandbox/debug environments and virtual machine hosts). Their real-time engines can be entirely removed or bypassed.
A next step would be to deploy a data harvesting component. The relevant tool is programmed to search for strings that can directly expose the users identity. The personal data usually consists of information about the victims name, address, interests, geolocation and passwords. In addition supplementary anonymous metrics are also collected. They are mostly related to the operating system, installed applications, certain configuration settings and the available hardware components. The collected information can be used to generate an unique victim ID that is associated with every infected machine.
The criminals can also opt to allow for the creation of a network connection to a server they own. In these cases they can cause further damage to the victims by using the B2DR virus as a secondary payload mechanism and deliver additional malware. A permanent connection with the hacker-controlled servers can be similar to Trojan viruses. The controllers can оvertake control of the machines at any given time and spy on the victims.
Various system changes can make it harder or even impossible for the users to restore their computers using manual methods. This is caused by the modification of essential operating system components such as the Windows Registry and the boot options. As a consequence the victims will be unable to boot up the recovery startup menu and may face serious application startup or overall performance issues.
B2DR Virus – Encryption Process
Once all malware components have completed execution the ransomware engine is started. Like the majority of other ransomware it uses a built-list of target file type extensions that are processed with a strong cipher. Examples include the following:
Once processed all files receive an extension that ends with .b2dr. It appears that the malware follows a template-based engine that assigns file names based on the following template: [hacker contact email address].[malware extension]. The samples collected so far are known to assign the following extension: @protonmail.com.b2dr.
A ransom note (in a file called readme.txt) is created in order to extort the victims. The document contains the following message:
All your files are encrypted.
Ask how to restore your files by email firstname.lastname@example.org
Use only gmail.com, yahoo.com, protonmail.com.
Messages written from other mail services we can not get.
!!!With any changes to the encrypted files, do not forget to backup files!!!
Your ID: ***
Remove B2DR Virus and Restore Your Files
If your computer got compromised and is infected with the B2DR ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.