Bucbi ransomware is coming back.

Bucbi is non-standard ransomware developed in 2014. Since then it hasn’t been in massive usage until now. The target are users living in Ukraine and Russia. The amount that bucbi demands is fairly high comparing to other ransomware viruses, claiming that the money will be spent as a commitment to the conflict between both countries. The difference with bucbi ransomware is that this will not use the common social engineering methods to trick users into installing the virus. Instead authors behind this are installing the Bucbi Ransomware, after hacking into the enterprise network themselves, using RDP brute force attacks. Malware is usually delivered by HTML download and require user being online, however bucbi ransomware has been modified to the point it no longer needs an Internet connection.

The new version of bucbi ransomware is heavily modified version, making it more advanced of the previous. However once into a user computer the attack is similar to other ransomware viruses. Although it is ransomware and like other infections it does the same. Encrypts victim’s files and demands money, but this time fairly high comparing to other ransomware of 5BTC (bitcoin). Security researchers spotted that the attacks come out from five different IP addresses and variety of usernames. Now this is no longer a ransomware that is infecting victims aimless but rather targeting attacks.

Bucbi ransomware

The uniqueness into this ransomware is that criminals forcing their path into corporate networks towards open RDP ports, using a tool named ‘RDP Brute (Coded by z668)’. Once victims system is infiltrated %ALLUSERSPROFILE% directory will be created with a content of named log file and debugging statements. Unlike other ransomware attacks, bucbi will not use any file extension at the end of encrypted files leaving them with the same name as before. Bucbi ransomware uses the GOST to create the filename. Once encryption is done .txt file will appear to the victims desktop which contains the following message:

We are members of Ukrainian Right Sector.
You are taking money worldwide until we are fighting with world’s evil into the East of our Motherland.
To decrypt the files you need to obtain a private key.
You have to transfer 5 BTC into the out account […] for us.
Also you have to send message for us to e-mail: [email protected]
After it you’ll get the crypto key for decrypt your files.
Regards.
Your defenders.

Now that you have been infected you have a few options:

Many suggest that you simply pay and hope that you will get all off your data back. However in this case you risk losing money and still being stuck with crypted files. We do not recommend this way simply because you will support the work of hackers and the more money thay get the stronger they will become.

The best option for you is if you have a backup, wipe your hard drive and perform system restore.

Use any type of anti malware software to remove bucbi.

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.

Decrypt bucbi ransomware files.

Good news is that we can now use decryption programs. A lot of security companies like Kasperky lab, bitdefender and more has developed a program that is fully capable of decryption key for ransomware malware. You can find this programs anywhere on the internet but it is strongly suggested to download this programs from official websites. NOTE: It may take a long time for your files to be decrypted depending on your PC performance.

New research discovery shows how ransomware deletes files and substitute encrypted copy of them. It is not guaranteed, but it is a possibility that you may recover your files with data recovery software. Before trying to decrypt any files you can scan your computer for posible data loss.

Go here to find out how to recover deleted files.

NOTEEven after removing bucbi ransomware from your PC many of the problems caused by it may still remain!

  • Name – Bucbi
  • Type Spamming – Malware, Ransomware, Trojan Horse
  • Danger Level – High
  • Brief Description – Encrypt files and demand ransom.
  • Symptoms – Poor pc performance or freezing, ransom massages.
  • Method – Via Trojan Horse or spam email.

How to remove “bucbi”

Short guide:

  1. Login as administrator.
  2. Go to control panel and uninstall any suspicious software.
  3. Use any type of anti malware software to remove bucbi.
  4. Decrypt bucbi files.
  5. Delete all temporary files from disk cleanup.
  6. Restart your computer.

Note: Removing bucbi manually could be very risky and unpredictable!

Step by step how to remove “bucbi ransomware”

Manual steps to remove ransomware or malware. How to prevent ransomware or malware.

For now, removing ransomware or malware manually will only be able for IT specialists. If you don't know one don't worry. We have a solution for you. Over here we will use Spyhunter to remove the virus. The Spyhunter anti-malware is a collection of programs that can be used to scan for malware and clean infected computers. You can also use full anti-malware program in this case which is the better option because it also offers protection.

How to remove "ransomware or malware"

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.
  1. Download Spyhunter anti-malware.
  1. 2.  After program has been downloaded, double-click to open it. User will have to install the program. Click on Spyhunter.exe to start the process.
User Account Control dialog may appear, asking you to allow the following program to make changes to this computer. Click "Yes" or "Run" to proceed with the installation. User can also choose variety of languages. Click Ok and the installation will begin with a welcome massage for Spyhunter. Click Next to continue to the next step. User will also have to accept Spyhunter license agreement by clicking on "I accept the agreement" and click Next. Spyhunter will ask user to read important information provided before continuing. Once done click on next to go to the next step. User can choose where to install the program. By default - C:Program FilesEnigma Software GroupSpyHunter. The process will continue and then Spyhunter will install. The installation process may take awhile, depending on a computer system performance. Once the installation is done, click Finish.
  1. 3. Update the software before scanning. Once program has been updated go to scan. You can choose from a free trial version or activate license. It is recommended to buy full version as the trial will not protect computer system.
  1. 4. The scan process will begin. The scan process may take awhile, depending on a computer system performance.
  1. 5. Once the scan is complete you can choose between delete or quarantine the viruses. The quarantine option is recommended and since the malware is active a reboot will be required to finish process.

Click here for guide of how to uninstall spyhunter.

Decrypt ransomware files.

Good news is that we can now use decryption programs. A lot of security companies like Kasperky lab, bitdefender and more has developed a program that is fully capable of decryption key for ransomware malware. You can find this programs anywhere on the internet but it is strongly suggested to download this programs from official websites. NOTE: It may take a long time for your files to be decrypted depending on your PC performance.