Buddy Ransomware Removal and Decryption Options - How to, Technology and PC Security Forum | SensorsTechForum.com

Buddy Ransomware Removal and Decryption Options

The infection rates of Trojan.Ransomcrypt.X have increased once again. Because of the text displayed on the ransom message (‘Hi Buddy!’), the file-encrypting threat is also known as Buddy ransomware. Thus, in this article we will refer to the threat as Buddy ransomware.

NameBuddy Ransomware
TypeRansomware, Trojan
Short DescriptionThe ransomware encrypts specific files and demands a ransom in BitCoins.
SymptomsFiles with certain extension are encrypted and a ransom message is displayed.
Distribution MethodSpam Emails, Email Attachments, Suspicious Sites
Detection toolDownload Malware Removal Tool, to See If Your System Has Been Affected by Buddy Ransomware
User ExperienceJoin our forum to follow the discussion about Buddy Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

We have seen Buddy ransomware be active in the beginning of January 2016, almost a month ago. Unfortunately, reports by users indicate that the ransomware is again attacking users and demanding more money than before. In January, Buddy ransomware was asking for approximately 0.32 BitCoins which equals around $130. Now, the ransomware authors are demanding 0.77756467 BitCoins which is close to $290. In terms of technical specifications, Buddy ransomware hasn’t changed a lot. Continue reading to learn more about the threat.

Buddy Ransomware Distribution Techniques

Buddy Ransomware, or Trojan.Ransomcrypt.X, is classified as a ransomware Trojan. This means that the threat is most likely downloaded to a computer alongside another program. One way you could have gotten Buddy ransomware is via freeware downloads, p2p communities, torrents.

Another distribution method typically employed by ransomware authors is spam. Spam campaigns often distribute malware. That being said, Buddy ransomware may have arrived to your computer in a malicious email attachment. Keep in mind that malicious code can be hidden within the email body and may not require opening the attachment. That is why employing anti-spam techniques is crucial to your online security.

Learn how to protect your computer from aggressive spam campaigns

Buddy Ransomware Technical Description

Needless to say, once Buddy ransomware is in the system, a file encryption process will be initiated. Nonetheless, the threat will first make sure to spread copies of its readme file with the ransom note inside. Then, the ransomware will modify a registry entry so that it loads with every reboot of Windows:

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Microsoft”

Other registry entries will also be altered, so that Windows Task Manager cannot be started:

→HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\”Shell”

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1”

In addition, Buddy ransomware also keeps track of the Windows Task Manager and its associated process and makes sure it is shut down.

In terms of encryption, Buddy ransomware is known to locate and encrypt files with the following extensions:

.asp, .aspx, .csv, .doc, .docx, .html, .jpg, .js, .mdb, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml

Once the files are encrypted, Buddy ransomware displays the ransom note and blocks the victim’s screen. Here is what the ransom note looks like:

buddy-ransomware-stforum

Buddy Ransomware Removal and File Restoration Options

There are two ways to try and restore your files:

  • Backups

The easiest and most efficient way to restore your files encrypted by ransomware is Backups. Once you have removed all ransomware traces, you can use your backups to bring back your data.

  • Shadow Volume Copies

Currently, there is no information if Buddy ransomware deletes Shadow Volume Copies from system. Once you have removed the threat completely, have a look at the 5th section of the instructions below the article.

Before you try anything, you should clean your system from all files associated with Buddy ransomware. The best way to do that is via anti-malware software.

1. Boot Your PC In Safe Mode to isolate and remove Buddy Ransomware
2. Remove Buddy Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Buddy Ransomware in the future
4. Restore files encrypted by Buddy Ransomware
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Buddy Ransomware threat: Manual removal of Buddy Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.