The B4WQ virus is ransomware that is descendant from the earlier B2DR threat. Like its parent it uses a modular engine that seeks to encrypt sensitive personal files. Our article explores the technical aspect of the infections and shows how victims can remove active infections.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .B4WQ extensions and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by B4WQ |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss B4WQ.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
B4WQ Virus – Distribution Ways
The B4WQ virus is a newly reported ransomware that is being distributed in a small attack campaign. Due to the limited reports the analyst cannot trace down the preferred method of distribution, consequently all of the popular ones can be used.
The criminals can use email SPAM messages that rely on social engineering tricks that manipulate the recipients into interacting with the malicious content. The B4WQ virus can be either directly attached to the messages or hyperlinked in the body contents. They are also the main delivery method for distributing payload carriers. Two of the most popular types are the following:
- Infected Documents — The B4WQ virus code can be embedded in files of various types: text files, spreadsheets or presentations. The mechanism depends on a script execution which triggers a payload download command. Once the relevant files are opened by the victims a notification prompt appears which asks them to enable the built-in macros. When this is done the B4WQ virus infection begins.
- Software Installers — The hackers typically take application installers of famous software that are modified with the B4WQ virus code. Usually popular products are chosen — productivity and office apps, creativity suites, system utilities and etc.
The payloads can also be uploaded to hacker-controlled sites that are modeled to look like legitimate portals. The victims may also experience malicious scripts that can trigger the infections: banners, pop-ups, redirects and in-content links. In certain cases such infections can be found on legitimate sites as well through various affiliate or advertising networks.
If the B4WQ virus operators want to pursue a large-scale distribution then they can also use browser hijackers. They represent dangerous web browser plugins that are usually distributed on the relevant repositories. The hackers behind the threat usually make them compatible with the most popular web browsers: Mozilla Firefox, Safari, Google Chrome, Internet Explorer, Safari, Opera and Microsoft Edge. They are advertised with ads and descriptions that market it as an useful addition. Usually fake developer credentials and user reviews are used to coerce the users into interacting it. Once the browser hijacker is placed on the infected host it changes the default browser settings, this is done in order to redirect the victims to a hacker-controlled site. It then installs tracking cookies and other threats that can reveal sensitive information about the victims.
B4WQ Virus – In-Depth Analysis
The B4WQ virus is a direct descendant of the B2DR ransomware family. The security experts have discovered code snippets from the former ransomware which leads us to believe that it is very possible that the same culprits are behind these infections as well. Further modifications to its code can be made in future versions and upcoming offspring.
At the moment the initial security analysis is being conducted and all details are not known. A limiting factor is the small number of captured samples, they do not allow the researchers to register whether all currently released versions have the same mechanism of action. It is believed that the current versions may be test releases that simply test out the ransomware engine.
The infection can begin with a data harvesting component. It can be used to hijack sensitive information about the victims and their computers. The harvested information can be classified into two main groups:
- Personal Data — The virus can be used to hijack sensitive information revealing the victim’s identity. The criminals can expose them by identifying strings related to the user’s name, address, telephone number, location, passwords and account credentials.
- Campaign Metrics — The B4WQ virus can also be instructed to search for specific strings taken from the operating system. It also generates a profile of all installed hardware components.
The collected information can then be used by another component to achieve stealth protection from applications that can interfere with its correct execution. This includes the likes of anti-virus products, virtual machine hosts and sandbox environments.
Following the B4WQ virus execution it can be configured to conduct various changes to the Windows Registry. When operating system related entries are modified it overall performance may suffer. If user-installed applications are affected certain functions or features may be disabled.
The B4WQ virus can also be installed as a persistent threat. This means that it will reconfigure the host system in the prescribed way — the malicious engine will start every time the computer boots. It also removes the possibility for the users to enter into the boot recovery menu .
If a Trojan module is implemented it connects to a hacker-controlled server. It allows the hackers to spy on the victims in real time, harvest the collected information and take over control of their machines at any given time. This can be used to deploy additional malware to the victim computers as well.
B4WQ Virus -Encryption
Following the execution of all modules that are part of the B4WQ virus the ransomware part is started. Like its parent ransomware it uses a built-in list of target file type extensions. The most popular file types are affected, such as the following:
The victim data is then renamed with the [email protected] which uses the well-known tactic of using the hacker’s contact email address before the virus’s extension. The typical tactic of producing a ransom note in a text message is retained. It is called Readme.txt and uses the same blackmail tactics as other famous ransomware. It tries to convince the users into paying the criminal operators money, usually in the form of cryptocurrency payments. They give out the hacker-controlled email address ([email protected]).
Remove B4WQ Virus and Restore .B4WQ Files
If your computer system got infected with the B4WQ ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.