Cyber Security Center

BG85 ransomware removal


BG85 ransomware is part of the Matrix ransomware family, which has released other versions like ANN ransomware. It uses strong encryption algorithms to encrypt files, and renames them. Encrypted files will be renamed into [BobGreen85@criptext.com].a string of random characters.BG85. Matrix malware also drops the BG85_INFO.rtf ransom note.

 

Ransomware (3)

BG85 ransomware is file-encrypting malware from the Matrix malware family. It encrypts files, renames them, drops a ransom note BG85_INFO.rtf and demands that victims pay money in exchange for file decryption. It is not known what specific sum the cyber criminals behind this ransomware request because it is not specified in the note. However, it will likely be somewhere between $100 and $1000, as that is usually what cyber crooks request.

For users with backup, ransomware shouldn’t do a lot of damage, as important files can be recovered from backup. Situations like this are why regularly backing up files is extremely important. However, there are many users out there who do not have this habit. For victims who do not have backup, there aren’t many options. Paying the ransom is not recommended because there are no guarantees that a decryptor would be sent. Many victims have not received a decryptor tool in the past, or received a non-working one when they paid, so there’s always a risk.

Malware researchers sometimes release free decryptor tools to help victims recover files without needing to pay but that is not the case for all ransomware. But for users without options, the best course of action would be to back up encrypted files and wait for a potential decryptor to be released. However, where the decryptor is downloaded from is very important as malicious actors have started disguising malware as ransomware decryptors. Emsisoft and NoMoreRansom are good sources for decryption tools.

If users recover files from backup, they need to make sure to first remove BG85 ransomware from their computers. Otherwise, the ransomware would encrypt those files as well.

How does ransomware spread?

Most ransomware gangs use the same malware distribution methods, which are usually spam email campaigns, disguising malware on torrent sites and forums, and fake updates.

Launching a spam email campaign does not require a lot of effort. Cyber crooks purchase email addresses and other information from hacker forums, attach a malicious file to an email and send it off. All users need to do to infect their computers is open the attachment and enable macros. Fortunately, the majority of those emails are quite obvious. First of all, senders often claim to be from known/famous companies/organizations but the emails are sent from nonsense email addresses. They’re also often full of grammar and spelling mistakes. When it comes to unsolicited emails with attachments, users need to be very careful. As a precaution, all email attachments should be scanned with anti-malware software or VirusTotal.

Malware is also often disguised as popular content on torrents sites and forums. It can be disguised as a movie, an episode of a TV series, game, software crack, etc. Sites hosting pirated copyrighted content are often unregulated, which allows cyber criminals to easily upload their malware.

It’s also possible to pick up malware by downloading a fake update. Fake update notifications can be found on many websites, and if users fall for them and download the file, they could easily infect their computers with malware. Update notifications will never appear in the browser. If a program needed to be updated, the program would notify the user. And if an update is performed manually, it should never be downloaded from unsafe sources, such as advertisements.

What does BG85 ransomware do?

BG85 ransomware uses AES-256 and RSA-2048 encryption algorithms to encrypt files. All encrypted ones will be renamed to [BobGreen85@criptext.com].random characters.BG85. Once the files are encrypted, the ransomware then drops a ransom note BH85_INFO.rtf. The ransom note explains that files have been encrypted but victims can start the recover process by sending an email to bobgreen85@criptext.com, bobgreen85@aol.com and bobgreen85@tutanota.com. The note specifies that the email needs to be sent to all three email addresses. Victims can decrypt three files for free, as proof that files can be decrypted. However, they should not contain any valuable information.

Here is the ransom note:
ALL YOUR VALUABLE DATA WAS ENCRYPTED!

All yоur filеs wеrе еnсrуptеd with strоng crуptо аlgоrithm АЕS-256 + RSА-2048.
Plеаsе bе surе thаt yоur filеs аrе nоt brоkеn аnd уоu cаn rеstоrе thеm tоdаy.

If yоu rеаllу wаnt tо rеstоrе yоur filеs plеаsе writе us tо thе е-mаils:
BobGreen85@criptext.com
BobGreen85@aol.com
BobGreen85@tutanota.com
In subjеct linе writе уоur ID: –

Impоrtаnt! Plеаsе sеnd yоur mеssаgе tо аll оf оur 3 е-mаil аddrеssеs. This is rеаllу impоrtаnt bеcаusе оf dеlivеrу prоblеms оf sоmе mаil sеrviсеs!
Important! If you haven’t received a response from us within 24 hours, please try to use a different email service (Gmail, Yahoo, AOL, etc).
Important! Please check your SPAM folder each time you wait for our response! If you find our email in the SPAM folder please move it to your Inbox.
Important! We are always in touch and ready to help you as soon as possible!

Аttаch up tо 3 smаll еncrуptеd filеs fоr frее tеst dесryption. Plеаsе nоte thаt thе filеs yоu sеnd us shоuld nоt cоntаin аnу vаluаblе infоrmаtiоn. Wе will sеnd yоu tеst dеcrуptеd files in оur rеspоnsе fоr yоur cоnfidеnсе.
Of course you will receive all the necessary instructions hоw tо dеcrуpt yоur filеs!

Important!
Plеаsе nоte that we are professionals and just doing our job!
Please dо nоt wаstе thе timе аnd dо nоt trу to dесеive us – it will rеsult оnly priсе incrеаsе!
Wе аrе alwауs оpеnеd fоr diаlоg аnd rеаdy tо hеlp уоu.

Paying the ransom, as already mentioned, is not a great idea. Countless times have victims paid the ransom only to not get anything in return. Thus, victims are usually discouraged from paying.

Unfortunately, ransomware from the Matrix family is currently undecryptable, so there is no free decryption tool available. Victims should be wary of unknown sources claiming to decrypt files for free or for smaller than the ransom payment. Currently, the only sure way to recover files is from backup.

BG85 ransomware removal

Users need to use anti-malware software to delete BG85 ransomware. Otherwise, they may end up doing even more damage to their computers. Once users remove BG85 ransomware, they can access backup to start file recovery.

BG85 ransomware is detected as:

  • A Variant Of Win32/Filecoder.LockedFile.I by ESET
  • Ransom.Matrix by Malwarebytes
  • HEUR:Trojan-Ransom.Win32.Agent.gen by Kaspersky
  • Ransom:Win32/Gansom.AB!MSR Microsoft
  • Generic.Ransom.Matrix.CA56E05D by BitDefender
  • Win32:RansomX-gen [Ransom] by AVG/Avast