Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Note! Your computer might be affected by B4WQ and other threats.
Threats such as B4WQ may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files. SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
The B4WQ virus is ransomware that is descendant from the earlier B2DR threat. Like its parent it uses a modular engine that seeks to encrypt sensitive personal files. Our article explores the technical aspect of the infections and shows how victims can remove active infections.
Threat Summary
Name
B4WQ
Type
Ransomware, Cryptovirus
Short Description
The ransomware encrypts sensitive information on your computer system with the .B4WQ extensions and demands a ransom to be paid to allegedly recover them.
Symptoms
The ransomware will encrypt your files with a strong encryption algorithm.
Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
B4WQ Virus – Distribution Ways
The B4WQ virus is a newly reported ransomware that is being distributed in a small attack campaign. Due to the limited reports the analyst cannot trace down the preferred method of distribution, consequently all of the popular ones can be used.
The criminals can use email SPAM messages that rely on social engineering tricks that manipulate the recipients into interacting with the malicious content. The B4WQ virus can be either directly attached to the messages or hyperlinked in the body contents. They are also the main delivery method for distributing payload carriers. Two of the most popular types are the following:
Infected Documents — The B4WQ virus code can be embedded in files of various types: text files, spreadsheets or presentations. The mechanism depends on a script execution which triggers a payload download command. Once the relevant files are opened by the victims a notification prompt appears which asks them to enable the built-in macros. When this is done the B4WQ virus infection begins.
Software Installers — The hackers typically take application installers of famous software that are modified with the B4WQ virus code. Usually popular products are chosen — productivity and office apps, creativity suites, system utilities and etc.
The payloads can also be uploaded to hacker-controlled sites that are modeled to look like legitimate portals. The victims may also experience malicious scripts that can trigger the infections: banners, pop-ups, redirects and in-content links. In certain cases such infections can be found on legitimate sites as well through various affiliate or advertising networks.
If the B4WQ virus operators want to pursue a large-scale distribution then they can also use browser hijackers. They represent dangerous web browser plugins that are usually distributed on the relevant repositories. The hackers behind the threat usually make them compatible with the most popular web browsers: Mozilla Firefox, Safari, Google Chrome, Internet Explorer, Safari, Opera and Microsoft Edge. They are advertised with ads and descriptions that market it as an useful addition. Usually fake developer credentials and user reviews are used to coerce the users into interacting it. Once the browser hijacker is placed on the infected host it changes the default browser settings, this is done in order to redirect the victims to a hacker-controlled site. It then installs tracking cookies and other threats that can reveal sensitive information about the victims.
B4WQ Virus – In-Depth Analysis
The B4WQ virus is a direct descendant of the B2DR ransomware family. The security experts have discovered code snippets from the former ransomware which leads us to believe that it is very possible that the same culprits are behind these infections as well. Further modifications to its code can be made in future versions and upcoming offspring.
At the moment the initial security analysis is being conducted and all details are not known. A limiting factor is the small number of captured samples, they do not allow the researchers to register whether all currently released versions have the same mechanism of action. It is believed that the current versions may be test releases that simply test out the ransomware engine.
The infection can begin with a data harvesting component. It can be used to hijack sensitive information about the victims and their computers. The harvested information can be classified into two main groups:
Personal Data — The virus can be used to hijack sensitive information revealing the victim’s identity. The criminals can expose them by identifying strings related to the user’s name, address, telephone number, location, passwords and account credentials.
Campaign Metrics — The B4WQ virus can also be instructed to search for specific strings taken from the operating system. It also generates a profile of all installed hardware components.
The collected information can then be used by another component to achieve stealth protection from applications that can interfere with its correct execution. This includes the likes of anti-virus products, virtual machine hosts and sandbox environments.
Following the B4WQ virus execution it can be configured to conduct various changes to the Windows Registry. When operating system related entries are modified it overall performance may suffer. If user-installed applications are affected certain functions or features may be disabled.
The B4WQ virus can also be installed as a persistent threat. This means that it will reconfigure the host system in the prescribed way — the malicious engine will start every time the computer boots. It also removes the possibility for the users to enter into the boot recovery menu .
If a Trojan module is implemented it connects to a hacker-controlled server. It allows the hackers to spy on the victims in real time, harvest the collected information and take over control of their machines at any given time. This can be used to deploy additional malware to the victim computers as well.
B4WQ Virus -Encryption
Following the execution of all modules that are part of the B4WQ virus the ransomware part is started. Like its parent ransomware it uses a built-in list of target file type extensions. The most popular file types are affected, such as the following:
Archives
Documents
Backups
Images
Music
Videos
The victim data is then renamed with the [email protected] which uses the well-known tactic of using the hacker’s contact email address before the virus’s extension. The typical tactic of producing a ransom note in a text message is retained. It is called Readme.txt and uses the same blackmail tactics as other famous ransomware. It tries to convince the users into paying the criminal operators money, usually in the form of cryptocurrency payments. They give out the hacker-controlled email address ([email protected]).
Remove B4WQ Virus and Restore .B4WQ Files
If your computer system got infected with the B4WQ ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.
Note! Your computer system may be affected by B4WQ and other threats. Scan Your PC with SpyHunter SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as B4WQ. Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
To remove B4WQ follow these steps:
1. Boot Your PC In Safe Mode to isolate and remove B4WQ files and objects
OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria
Boot Your PC Into Safe Mode
1. For Windows XP, Vista and 7. 2. For Windows 8, 8.1 and 10. Fix registry entries created by malware and PUPs on your PC.
For Windows XP, Vista and 7 systems:
1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu. 2. Select one of the two options provided below:
– For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.
– For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.
3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account
While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.
Step 1: Open up the Start Menu.
Step 2: Click on the Power button (for Windows 8 it is the little arrow next to the “Shut Down” button) and whilst holding down “Shift” click on Restart.
Step 3: After reboot, a blue menu with options will appear. From them you should choose Troubleshoot.
Step 4: You will see the Troubleshoot menu. From this menu choose Advanced Options.
Step 5: After the Advanced Options menu appears, click on Startup Settings.
Step 6: From the Startup Settings menu, click on Restart.
Step 7: A menu will appear upon reboot. You can choose any of the three Safe Mode options by pressing its corresponding number and the machine will restart.
Some malicious scripts may modify the registry entries on your computer to change different settings. This is why cleaning your Windows Registry Database is recommended. Since the tutorial on how to do this is a bit long and tampering with registries could damage your computer if not done properly you should refer and follow our instructive article about fixing registry entries, especially if you are unexperienced in that area.
2. Find files created by B4WQ on your PC
Find files created by B4WQ
1. For Windows 8, 8.1 and 10. 2. For Windows XP, Vista, and 7.
For Newer Windows Operating Systems
Step 1:
On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
Step 2:
Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
Step 3:
Navigate to the search box in the top-right of your PC’s screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be “fileextension:exe”. After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navination box to fill up in case the PC is looking for the file and hasn’t found it yet.
For Older Windows Operating Systems
In older Windows OS’s the conventional approach should be the effective one:
Step 1:
Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
Step 2:
After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
Step 3:
After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
IMPORTANT! Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode. This will enable you to install and use SpyHunter 5 successfully.
Use SpyHunter to scan for malware and unwanted programs
3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
Scan your PC and Remove B4WQ with SpyHunter Anti-Malware Tool and back up your data
1. Install SpyHunter to scan for B4WQ and remove them.2. Scan with SpyHunter, Detect and Remove B4WQ. Back up your data to secure it from malware in the future.
Step 1: Click on the “Download” button to proceed to SpyHunter’s download page.
It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
Step 2: Guide yourself by the download instructions provided for each browser.
Step 3: After you have installed SpyHunter, wait for it to update automatically.
Step 1: After the update process has finished, click on the ‘Malware/PC Scan’ tab. A new window will appear. Click on ‘Start Scan’.
Step 2: After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the ‘Next’ button.
Step 3: If any threats have been removed, it is highly recommended to restart your PC.
Back up your data to secure it against attacks in the future
IMPORTANT! Before reading the Windows backup instructions, we highly recommend to back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats. We recommend you to read more about it and to download SOS Online Backup.
4. Try to Restore files encrypted by B4WQ
Try to Restore Files Encrypted by B4WQ
Ransomware infections and B4WQ aim to encrypt your files using an encryption algorithm which may be very difficult to decrypt. This is why we have suggested several alternative methods that may help you go around direct decryption and try to restore your files. Bear in mind that these methods may not be 100% effective but may also help you a little or a lot in different situations.
Method 1: Scanning your drive’s sectors by using Data Recovery software. Another method for restoring your files is by trying to bring back your files via data recovery software. Here are some suggestions for preferred data recovery software solutions:
Method 2: Trying Kaspersky and EmsiSoft’s decryptors. If the first method does not work, we suggest trying to use decryptors for other ransomware viruses, in case your virus is a variant of them. The two primary developers of decryptors are Kaspersky and EmsiSoft, links to which we have provided below:
To restore your data in case you have backup set up, it is important to check for Volume Shadow Copies, if ransomware has not deleted them, in Windows using the below software:
Method 4: Finding the decryption key while the cryptovirus sends it over a network via a sniffing tool.
Another way to decrypt the files is by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its internet traffic and internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key. See how-to instructions below:
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
1. For Windows XP, Vista and 7.
2. For Windows 8, 8.1 and 10.
Fix registry entries created by malware and PUPs on your PC.
1. Install SpyHunter to scan for B4WQ and remove them.
Back up your data to secure it from malware in the future.
