Cyber Security Center

BNFD ransomware removal


BNFD ransomware is part of the Matrix ransomware family. It encrypts files, renames them to [Benford333@criptext.com].random characters.BNFD, and drops the BNFD_README.rtf ransom note. No free decryptor is currently available.

 

WastedLocker ransmware image

BNFD ransomware is file-encrypting malware that belongs to Matrix ransomware family. We have reported on other versions from the same family, including TG33, JB88, BG85, and ANN. This version can be differentiated from the other ones by the .BNFD extension added to encrypted files. As users will inevitably notice, files with that extension will not be openable, unless they’re first decrypted.

When the ransomware is done encrypting files, it will drop a BNFD_README.rtf ransom note. The note will contain instructions on how users can get the decryptor to recover their files, and that includes sending an email to three different email addresses with an ID that’s displayed in the note. If victims were to actually send the email, they would receive instructions on how to pay the ransom in order to get the decryptor. The note also promises that if users send 3 small encrypted files, they would be decrypted and sent back.

Contacting cyber crooks, let along paying the ransom, is not recommended for a couple of reasons. First of all, users are not guaranteed a decryptor if they pay. Whether it’s sent really depends on how helpful the cyber crooks behind this ransomware are feeling. It’s not uncommon for users to not receive the decryptor after paying, so it’s always risky. Second, the money users pay these cyber criminals is used for other malicious activities. And as long as victims pay because they don’t have backup, the ransomware will continue to be a nuisance.

Currently, retrieving files from backup is the only way victims can recover them. No free decryptor is currently available but that may change in the future, as malware researchers do release free decryption tools when possible. If a decryptor was to be released, it would come from legitimate sources like NoMoreRansom, Emsisoft, anti-virus vendors and malware researchers. Decryptors on suspicious forums and sites should not be trusted, as they could contain something malicious.

If users do have backup, they simply need to delete BNFD ransomware and they can then access backup.

How does ransomware get inside a computer?

Users usually allow the ransomware to enter themselves, though they do it unknowingly. Users can allow ransomware to get into their computer by doing something as simple as opening a malicious email attachment, using torrents to pirate, or simply downloading a seemingly harmless file. The good news is that if users develop better browsing habits, they will be able to avoid the majority of malware infections.

One of the most dangerous things users could do is open an unsolicited email attachment. Malicious actors often launch email campaigns that distribute ransomware by having it attached to the email. Cyber criminals usually use email addresses they purchase from hacker forums to distribute the malicious emails. If users pay attention to what they open, they should be able to notice the signs that indicate a malicious emails. The most obvious signs are usually a random sender’s email address, loads of grammar and spelling mistakes, as well as strong pressure to open the email attachment. Even when the email looks completely legitimate, all unsolicited emails should be scanned with anti-virus software or VirusTotal before they’re opened.

It’s also not uncommon for users to pick up malware via torrents. It’s no secret that many torrent sites are not regulated properly, which allows cyber criminals to disguise their malware as some popular movie, game, TV show, etc. Apart from the fact that pirating is essentially stealing, malware is one of the reasons why users are discouraged from pirating.

Can users recover files encrypted by BNFD ransomware?

When users initiate the ransomware, it will immediately start encrypting files. All photos, videos, documents and other important files will be encrypted and renamed. For example, image.jpg would be renamed to [Benford333@criptext.com].random characters.BNFD. Files with that extension will not be openable.

A ransom note BNFD_README.rtf would be dropped once the encryption process is complete, and it would contain instructions for users on how to recover files. Users are asked to send an email to three different email addresses benford333@criptext.com, benford333@protonmail.com, and benford333@tutanota.com. The email is supposed to include the ID provided in the ransom note. Users would then be informed of how much they need to pay to get the decryptor. But as we have mentioned above, paying the ransom is too risky, thus, it’s not recommended. Backup is the only way users can recover files.

Here’s the ransom note dropped by this ransomware:

ALL YOUR VALUABLE DATA WAS ENCRYPTED!

All yоur filеs wеrе еnсrуptеd with strоng crуptо аlgоrithm АЕS-256 + RSА-2048.
Plеаsе bе surе thаt yоur filеs аrе nоt brоkеn аnd уоu cаn rеstоrе thеm tоdаy.

If yоu rеаllу wаnt tо rеstоrе yоur filеs plеаsе writе us tо thе е-mаils:
Benford333@criptext.com
Benford333@protonmail.com
Benford333@tutanota.com
In subjеct linе writе уоur ID: –

Impоrtаnt! Plеаsе sеnd yоur mеssаgе tо аll оf оur 3 е-mаil аddrеssеs. This is rеаllу impоrtаnt bеcаusе оf dеlivеrу prоblеms оf sоmе mаil sеrviсеs!
Important! If you haven’t received a response from us within 24 hours, please try to use a different email service (Gmail, Yahoo, AOL, etc).
Important! Please check your SPAM folder each time you wait for our response! If you find our email in the SPAM folder please move it to your Inbox.
Important! We are always in touch and ready to help you as soon as possible!

Аttаch up tо 3 smаll еncrуptеd filеs fоr frее tеst dесryption. Plеаsе nоte thаt thе filеs yоu sеnd us shоuld nоt cоntаin аnу vаluаblе infоrmаtiоn. Wе will sеnd yоu tеst dеcrуptеd files in оur rеspоnsе fоr yоur cоnfidеnсе.
Of course you will receive all the necessary instructions hоw tо dеcrуpt yоur filеs!

Important!
Plеаsе nоte that we are professionals and just doing our job!
Please dо nоt wаstе thе timе аnd dо nоt trу to dесеive us – it will rеsult оnly priсе incrеаsе!
Wе аrе alwауs оpеnеd fоr diаlоg аnd rеаdy tо hеlp уоu.

BNFD ransomware removal

Users will need to use anti-malware software to remove BNFD ransomware. Once the ransomware is no longer on the computer, users can connect to backup. It should be mentioned that when users delete BNFD ransomware, the files remain encrypted.

BNFD ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by Avast/AVG
  • Generic.Ransom.Matrix.791E1328 (B) by Emsisoft
  • A Variant Of Win32/Filecoder.LockedFile.I by ESET
  • Ransom.Matrix by Malwarebytes
  • Ransom:Win32/Gansom.AB!MSR by Microsoft
  • Ransom.Win32.MATRIX.SMTH by TrendMicro
  • HEUR:Trojan-Ransom.Win32.Agent.gen by Kaspersky