Our research team has uncovered a new ransomware campaign we nicknamed BigBobRoss that seems to target Comcast Business users. Fortunately, our security experts were able to identify a flaw within the ransomware’s code that can be used to decrypt encrypted files without paying the ransom.
Update: The BigBobRoss decrypter has been updated for the extension ‘.encryptedALL’
Do not pay the ransom!
Technical details
BigBobRoss is a ransomware written in C++ using QT. It uses AES-128 ECB to encrypt files, and adds the extension “.obfuscated”. Some variants also prepend the victim ID to the filename. The ransom note “Read Me.txt” asks the victim to contact “BigBobRoss@computer4u.com”.
The ransom note contains the following text:
Hello, dear friend!
=================================================
1- [All your files have been ENCRYPTED!]
Your files are NOT damaged! Your files are modified only.
The only way to decrypt your files is to receive the decryption program.
your files can not be decrypted without the special program we made it for your computer.
=================================================
2- [ HOW TO RETURN FILES? ]
To receive the decryption program Write to our email “BigBobRoss@computer4u.com”
and tell us your unique ID
=================================================
3- [ FREE DECRYPTION! ]
Free decryption as guarantee.
We guarantee the receipt of the decryption program after payment.
To believe, you can give us 1 file that must be less than 1MB and we decrypt it for free.
File should not be important to you! databases, backups, large excel sheets, etc.
=================================================
4- [ Instruction ]
the easiest way to buy bitcoins is LocalBitcoins site. you have to register, click “buy bitcoins”
and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
=================================================
CAUTION!
please do not change the name of files or file extension if your files are important to you!
Your unique ID : [ID]
To use the decrypter, you will require one of the ransom notes left by the malware.
How to use the Emsisoft BigBobRoss Decrypter
- Download the Emsisoft BigBobRoss Decrypter.
- Run the executable and confirm the license agreement when asked.
- Click “Browse” and select the ransom note file on your computer. (Brute Force decryption is not required for this ransomware).
- Click “Start” to decrypt your files. Note that this may take a while.
- Finished!
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trial