However, it is unlikely that paying the ransom will result in the successful decryption of all files, and victims are encouraged to seek alternative solutions. The attackers offer victims a way to verify that encrypted files can be decrypted by sending them a small file to one of the email addresses specified in the ‘_readme.txt’ file. The ransom demand is typically $980, but if the victim pays within 72 hours, then the ransom amount is halved to $490. That is, criminals demand a ransom for unlocking the victim’s files. The file contains a message from the Bhui authors, informing the victim that all their files are encrypted and the only way to decrypt them is to purchase a key and a decryptor from the authors of the Bhui ransomware. In every directory where there is at least one encrypted file, the virus places a file named ‘_readme.txt’. pdf, and others.īhui encrypts files one by one, renaming each encrypted file with the. All other files located on the victim’s computer can be encrypted, including popular file types such as. sys, and files with the name ‘_readme.txt’. It skips files located in the Windows system directories, files with the extension. Bhui has the ability to encrypt files on all drives connected to the computer, including internal hard drives, flash USB disks, network storage, and more. The virus attempts to encrypt as many files as possible, encrypting only the first 154kb of the contents of each file to speed up the encryption process. The Bhui ransomware encrypts files using a strong encryption algorithm and a key (‘offline key’ or ‘online key’, as described above). If the virus cannot establish a connection with its command server, it uses a fixed key (the so-called ‘offline key’). If the connection has been established, it sends information about the infected computer to the server and, in response, receives the encryption key (the so-called ‘online key’) and additional commands and malware that must be executed on the victim’s computer. The virus then collects information about the victim’s computer and tries to establish a connection with its command server (C&C). Upon execution, Bhui creates a folder in the Windows system directory where it places a copy of itself and changes some Windows settings so that it starts up every time the computer is restarted or turned on. Typically, such malicious files are disguised as freeware, Windows/Office key generators and activators, hacked games, and other attractive downloads that are placed by cybercriminals on file-sharing and torrent sites. This ransomware is spread by malicious files that must be installed as an. Screenshot of files encrypted by Bhui virus (‘.Bhui’ file extension):īhui ransomware is a new variant of the STOP (djvu) ransomware that emerged in early 2022. In this article, we will take a closer look at Bhui ransomware, its distribution methods, and the steps that victims can take to recover their encrypted files. The attackers then demand a ransom payment in exchange for the decryption key, with the initial ransom demand set at $980, but halved to $490 if paid within 72 hours. Once installed, Bhui encrypts all files on the victim’s computer, adding the “.Bhui” extension to the filenames. Like its predecessors, Bhui is spread through malicious files disguised as freeware, key generators, and hacked games, which are commonly found on file-sharing and torrent sites. Bhui ransomware is the latest variant of the notorious STOP (djvu) ransomware that has been causing havoc for victims worldwide.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |