BBOO file virus encrypts personal data to demand $490 as a ransom
Contents
BBOO ransomware is a malicious data-encrypting virus that originates from STOP/DJVU malware group. It is the 205th version of it, discovered by M. Gillespie. Once installed on victim’s computer, it encrypts personal files stored on it, adding .bboo file extensions to mark corrupted data. Next, the virus creates ransom note and saves it it _readme.txt files all over the compromised computer. The note contains cybercriminals’ demands to pay a ransom worth $490 in Bitcoin within 3 days, otherwise the price goes up to $980. The victim is suggested to test the decryption tool and get further info by writing to helpmanager@firemail.cc or helpmanager@iran.ir.
BBOO ransomware encrypts files using unbreakable encryption algorithm. There is no way to restore files without having a private decryption key. However, STOP/DJVU variants use either offline or online encryption keys to lock victim’s data safely. Based on encryption method used, the victim may or may not expect to recover some files in the future.
How the virus operates: the offline and online encryption cases
Once installed on the target host, the ransomware first checks whether it can connect to its Command& Control server. If it does, it uses it to obtain ONLINE encryption keys, which are individual for each victim. In other words, nobody else gets these encryption keys, therefore nobody else’s decryption keys will match yours.
When BBOO file virus fails to establish connection with C&C server, it uses a hardcoded OFFLINE encryption key, which is the same one for all victims subject to offline encoding attack. Once someone pays a ransom and receives a decryption key, such key can be shared with others. Usually, security experts ask to contact them so that tools like STOP Decryptor could be updated.
BBOO ransomware virus’ developers won’t tell you whether your files were encrypted with online or offline key. Therefore, you have to check your personal ID to realize that. Please do not check the personal ID stored in the _readme.txt file – it might not reflect the situation accurately (since several keys can be used).
Instead, go to C:/SystemID/ and open PersonalID.txt file here. If any of the stored keys end in t1, it is a good sign meaning that an offline key was used at least on part of your files. If it is the ONLY ID here ending in t1, it means that ALL of your files were locked with offline key, and there might be chances to recover all of them.
Threat Summary
| Name | BBOO ransomware virus |
| Type | File-encrypting malware |
| Origins | STOP/DJVU (205th version) |
| Targeted systems | Windows |
| Behavior | Prevents access to personal files by encrypting them, demands ransom in exchange for data recovery tool |
| File extension | Marks files with .bboo extension |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 |
| Emails | helpmanager@firemail.cc, helpmanager@iran.ir |
| Distribution | Distributed via software cracks, keygens, KMSPico |
| Decryption tools | STOP Decryptor doesn’t support the 205th ransomware variant yet |
| Removal | Remove using antivirus while in Safe Mode (use instructions given below) |
However, you must be aware that this ransomware virus installs AZORULT password-snatching Trojan on the system, which can steal and use your login credentials for malicious purposes. Therefore, do not delay the computer cleanse and remove BBOO ransomware virus along with AZORULT as soon as you can. You may want to use the free instructions provided at the end of this article.
The ransom-demanding message
BBOO ransomware creators seek to extort money from computer users, especially those with little or no computing experience. Unfortunately, the majority of computer users still fail to realize the importance of having data backups, which come in handy in case of ransomware attack, computer corruption or loss.
The _readme.txt file explains that the only way to restore encrypted .bboo extension files is to pay a ransom for the cybercriminals. The note doesn’t contain cryptowallet address belonging to the criminals. It simply explains that the victim has to buy Bitcoins and transfer them to a specified wallet. If the victim rushes to do so within 3 days since the attack, the ransom price stays $490. Otherwise, it increases to $980.
We do not recommend paying the ransom. By doing so, you would support the billion-dollar worth industry of malware.
DJVU variants await in malicious files
DJVU ransomware variants, such as BBOO, REPP, ALKA, BTOS and others are known to be waiting for victims in a form of malicious and often illegal downloads. To be precise, malware developers tend to conceal these as software cracks, keygens, or other tools used to activate software licenses in an illegal way (without paying for the license).
Please remember that by downloading such files (for example, KMSPico) you infringe the software developers’ copyrights and expose yourself to the wide range of malware available today. Some malicious viruses such as AZORULT won’t display any malicious activity until you’ll notice suspicious activity on your other accounts. This, unfortunately, can go on for months before you notice it.
Ransomware developers also tend to employ such distribution tactics as email spam. It is an extremely widely used technique to hunt for unsuspecting victims. Once the victim clicks on an attached link or file, the malware can easily jump into the computer system and starts its malevolent activity right away.
The best way to remove BBOO ransomware virus
If you’re looking for the best way to remove BBOO ransomware virus from your computer, look no futher. We have prepared an easy-to-follow guidances on how to eliminate this threat along with AZORULT malware from your PC instantly.
BBOO file virus removal might seem complicated, but if you use a trustworthy and, what’s most important, an up-to-date antivirus, you’ll have no issues with this task. Next, we suggest changing your passwords and start looking for your data backups.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
BBOO Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove BBOO Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
people are going through a lot of pain because of this attack but you make the headline of your website look like there is a solution to the .BBOO crisis am suffering from…… only to read all your write up and to see that there is not a known solution….
I totally understand people are going through a lot of pain. The aim of this article is to inform what is the virus, how it operates, and explain why it is impossible to recover the files. Also to inform that data backups are essential. I do not think it would be better if there was no information at all. The solution is backups. However, computer users rarely care about them before encountering viruses like this…
Bro reach me out on twitter: highimbrits, i found accidentally my files and move it from a flash drive after removing all malwares by full scan (mcafee, malwarebytes, emsisoft emergency kit).
MY OFFICE FILES IS INFECTED BY .BBOO EXTENSION AND NOT OPEN I AM IN VERY TENSION MY HIGH UPS WILL FIRE ME PLEASE HELP TO RECOVER MY MS FILES PLEASE ITS HUMBLE REQUEST.