.obfuscated Files Virus - How to Remove It
THREAT REMOVAL

.obfuscated Files Virus – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This blog post has been created with the main purpose of explaining what is the .obfuscated files ransomware and show how to remove it from your computer effectively.

New ransomware virus, using the .obfuscated file extension which it appends to the encrypted files has been detected by security researchers. The virus aims to encrypt the files on the computers attacked by it and then set the .obfuscated file extension. The ransomware also adds a ransom note aiming to extort victims to pay ransom in order to get their files to work once again. If your computer has been infected by the .obfuscated ransomware we would suggest that you read the article underneath thoroughly.

Threat Summary

NameBigBobRoss
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the compromised computer and then ask victims to pay ransom in order to get them restored.
SymptomsFiles have the .obfuscated file extension added to them.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by BigBobRoss

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BigBobRoss.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.obfuscated Files Virus – Update March 2019

A decryption tool for the .obfuscated Files Virus got released by EMSIsoft, that you can download from the link provided here – Emsisoft Decrypter for BigBobRoss. You will need a ransom note from this ransomware in order to use the decrypter.

.obfuscated Files Virus – Distribution Methods

The primary method of distribution that is used by this ransomware has been reported to be conducted via software bundling, which uses e-mails to spam potential victims and infect them via the e-mail attachments, like the example image below shows.

In addition to e-mail, another distribution way is conducted via the ransomware virus being directly downloaded from the victim from a website for free software. Most viruses often use different executables, like cracks, key generators, license activators and other forms of installers the users may be looking to download and run. The most demand for such programs is usually game and software cracks, patches and portable versions of programs as well.

.obfuscated Ransomware – Analysis

As it’s name suggests the ransomware uses obfuscation techniques in order to hide the infection from any antivirus and other protection software. The outcome of this is that the .obfuscated ransomware may conduct its activities in a concealed manner.

The first activity of this malware strain is to copy itself on the victim’s computer. This may happen by either extracting or downloading the virus files onto the PC of the victim. The files may exist under different file names and are generally located in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Once this is done, the ransomware may display it’s ransom note file on the victims’ computers, which is called Read Me.txt and has the following message:

Hello, dear friend!
=================================================
1- [All your files have been ENCRYPTED!]

Your files are NOT damaged! Your files are modified only.
The only way to decrypt your files is to receive the decryption program.
your files can not be decrypted without the special program we made it for your computer.

=================================================
2- [ HOW TO RETURN FILES? ]

To receive the decryption program Write to our email “BigBobRoss@computer4u.com”
and tell us your unique ID

=================================================
3- [ FREE DECRYPTION! ]

Free decryption as guarantee.
We guarantee the receipt of the decryption program after payment.
To believe, you can give us 1 file that must be less than 1MB and we decrypt it for free.
File should not be important to you! databases, backups, large excel sheets, etc.

=================================================
4- [ Instruction ]

the easiest way to buy bitcoins is LocalBitcoins site. you have to register, click “buy bitcoins”
and select the seller by payment method and price.

https://localbitcoins.com/buy_bitcoins

=================================================
CAUTION!
please do not change the name of files or file extension if your files are important to you!
Your unique ID : [redacted 8 uppercase hex]

In addition to this, the .obfuscated files virus may also attack Windows Registry Editor and in the Run and RunOnce keys add registry entries with data that will set the malicious file or files of this virus to run automatically on Windows boot. The sub-keys have the following locations:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to this, the ransomware virus may also delete the shadow volume copies of the infected machine, which are made with the main purpose to minimize the chance of victims to restore their files via Windows Backup and recovery. The commands could be among the ones listed below:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.obfuscated Ransowmare – Encryption Process

In order to encrypted the files on victim PC’s the .obfuscated files virus may conduct a scan on the computers of users. The scan skips important Windows and system directories and may encrypt files from the following types;

  • Documents.
  • Videos.
  • Images.
  • Audio files.
  • Archive files.
  • Template files.
  • Virtual Drive files.

As soon as the files infected by this ransomware virus are encrypted, the .obfuscation file extension is added to them and they may start to appear like the following:

Remove .obfuscated Files Virus and Try Restoring Files

If you wish to remove the .obfuscated file ransomware from your computer, we would reccomend that you follow the instructions that are underneath this article. They have been created with the main idea of helping you delete this ransomware the way you prefer. If manual removal does not seem to work, experts strongly advise you to automatically remove all of the .obfuscated virus files on your computer by using an anti-malware program. This software will perform scans for malware and make sure that all of the malicious files are gone and your computer stays protected against future infections as well.

If you are trying to restore .obfuscated files, we will have you know that at this point there is no direct solution, but you can try the alternative methods for file restoration we have listed in the accordion below. They have been created to help restore as many encrypted files by this ransomware as possible.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...