BBC Ransomware

The BBC Ransomware is one of the most recent additions to the seemingly endless family of the Phobos Ransomware clones. There is nothing particularly remarkable about BBC to set it apart from other Phobos clones, and it’s probably just the latest customized version used by a new party of bad actors for their own threatening campaign.

The BBC Ransomware encrypts its victim’s files and renders them unusable. Once a file is encrypted by the BBC Ransomware, both its name and extension change. The original name and extension are preserved, but a unique alphanumeric victim ID, the bad actor’s contact email and a new extension are all appended at the back. This means that a file called "backyard.jpg" originally turns into "backyard.jpg.id[alphanumeric string].[0x1service@protonmail.com].bbc" once it has been encrypted.

When the encryption is complete, two separate ransom notes are created. One is named "info.hta" and the other - "info.txt." The plain text file is indeed very plain and contains just the two emails used by the hackers for contact: 0x1service@protonmail(dot)com and 0x1service@airmail(dot)cc. The .hta file looks more like a regular ransom note and reads as follows:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail 0x1service at protonmail dot com

Write this ID in the title of your message -

In case of no answer in 24 hours write us to this e-mail:0x1service at airmail dot cc

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.

hxxps://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:

hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

Even though the hackers behind the BBC ransomware offer free decryption to show that they at least have the tool for it, this is no guarantee that after payment a victim will receive that tool. Currently, there is no disclosed decryption tool that can unscramble the files encrypted by the BBC Ransomware. One of the best ways to protect a system from any ransomware and stop it in its tracks before it can encrypt valuable files is having a robust, fully-featured anti-malware suite installed and kept up-to-date.