Remove BYYA Ransomware Virus (DECRYPT .byya FILES)

remove BYYA ransomware virus and learn how to decrypt or repair files with .byya extension (free guide)

BYYA ransomware takes computer files hostage, demands a ransom

Contents

BYYA ransomware takes computer files hostage, demands a ransom
Ingenious methods used by cybercriminals in distributing malware
Remove BYYA Ransomware/Decrypt Infected Files
Decrypt BYYA files
Frequently Asked Questions

BYYA ransomware is a file-encrypting computer virus that demands a ransom from the user. Cybercriminals behind the infamous STOP/DJVU ransomware family are yet again distributing another variant of malware. This latest malware is no less destructive than the previous ones and can prove deadly to files contained in any computer it infects. It makes use of an advanced key in locking files while simultaneously triggering a system overhaul in order to take over existing programs. Once this is done, it will commence full encryption of all files one after another before adding .byya extension to each of them, respectively. Take, for example, an already existing file known as 1.jpg would now appear as 1.jpg.byya while file 2.txt appears as 2.txt.byya and same thing would also be done on every other file it can find in the infected computer.

Ransom notes known as _readme.txt would equally be forwarded to all the folders contained in the computer. It is a convenient method used by cybercriminals to inform the computer user knows about the attack and how they used very strong encryption keys to make their files unreadable. Therefore, they’re left with no choice but to pay the requested ransom fees in order to be given a decryption tool produced by the cybercriminals.

Additional details you need to know about the ransom note

A bold headline summarizing the attack and what is at stake would be attached to the _readme.txt ransom note. More details would be provided under the headline with emphasis on how BYYA ransomware was successful in encrypting all documents, photos, videos, and every other data that was stored in the computer. It will also warn the victim not to think of any other alternative aside from the one they’re offering since they had used a very strong and unique key in encrypting the files; therefore, they also have the exclusive ability to reverse the entire process.

However, that could only be done after the ransom fee has been paid, which would enable them to send the decryption tool/software across to the victim. They would also state that their demand is not negotiable, and if for any reason the victim couldn’t respond accordingly, the entire encrypted files would become permanently irretrievable.

To open a communication channel, the cybercriminals would also drop two email addresses namely: manager@time2mail.ch and supportsys@airmail.cc. However, the emails are not for negotiation purposes as there is no room for that but to serve as a medium through which they would send across their demands to the victim. To assure the victim of their level of expertise, they may even inform them to send across excerpts of the encrypted files for possible test decryption but would also point out that such must not contain valuable information.

The cybercriminals would also announce that ransom fee of $980 would have to be paid but if the victim is willing to comply within 72 hours of being informed, they would be allowed to pay only half of the ransom fee, which is $490. However, there are other conditions the victim is also expected to comply with, such as being mandated to make payment using BTC or any other popular cryptocurrency and sending it to a wallet address of their choice. The major reason why they usually demand payment through cryptocurrency is to remain anonymous and preempt any chance of arrest by law enforcement agents.

Here is an example of a _readme.txt ransom note typically dropped by cybercriminals.

Cybersecurity experts, including the FBI, have made it clear that ransom shouldn’t be paid to cybercriminals no matter the threats. Firstly, paying ransom is absolutely against the law, it enriches cybercriminals and encourages them to perpetrate more crimes, yet there is no guarantee that encrypted files would be retrieved even after paying huge sums of money as ransom. Also note that when victims comply with ransom demands, they would be making themselves vulnerable to future extortions.

Secondary challenges victims contend with following a ransomware attack

Aside the encryption that occur during STOP/DJVU ransomware attack, there are other risk factors associated with it, including other types of malware and Trojans. The most common ones are VIDAR and AZORULT and can also be as catastrophic as the primary malware. Cybercriminals often use them to steal vital personal information such as banking details, crypocurrency wallets, and passwords among other sensitive data and being in possession of them can result in more losses to the victim.

It is due to these issues that make it very necessary for victims to remove BYYA ransomware virus as soon as they can once it is detected in their computer. The appropriate method computer users should use when removing them is through Safe Mode with Networking. This option should be selected once a computer is powered on and afterwards, genuine antivirus software should be activated and maintained accordingly. Also, you can make use of RESTORO in salvaging damaged files wherever possible.

Ransomware Summary

Name	BYYA Ransomware Virus
Type	Ransomware; Crypto-malware; Virtual Extortion Virus
Family	STOP/DJVU
Encryption type	RSA 2048 + Salsa20
Previous versions	XCVF, SIJR, EGFG, BBNM, IFLA, KRUU, BYYA (find full list here)
Version	475th
Extension	.byya
Cybercriminal emails	manager@time2mail.ch and supportsys@airmail.cc
Additional malware dropped	Azorult or Vidar Trojan
Damage	The ransomware uses encryption to maliciously modify all files on the PC and marks their original names with .byya extension. Ransom notes called as _readme.txt will be dropped in every computer folder. This piece of malware usually drags VIDAR Stealer alongside it and also eliminates VSS from the system. On top of that, it tends to modify Windows HOSTS file to restrict computer user’s access to cybersecurity-related websites online.
Ransom note	_readme.txt
Ransom demand	$490-$980 in Bitcoin
Distribution	Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico.
Known software cracks to contain this malware	Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends.
Detection names	Ransom:Win32/StopCrypt.PAL!MTB (Microsoft), Trojan.Crypt (A) (Emsisoft), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky), Trojan.GenericKD.47850419 (BitDefender), Trojan.MalPack.GS (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal
Removal	Remove ransomware and related malware from your PC using trustworthy software. To repair virus damage on Windows OS files, consider scanning with RESTORO (secure download link).

REPAIR VIRUS DAMAGE

DOWNLOAD AND SCAN WITH RESTORO

See Full Review

Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.

This is a screenshot of files encrypted by the described ransomware variant.

Ingenious methods used by cybercriminals in distributing malware

Cybercriminals make use of diverse fraudulent methods in distributing malware to unsuspecting computer users. Such methods include phishing, malicious email attachments, use of “cracks” and fake activation keys, misleading ads etc. In addition to that, they also make use of online torrent platforms where high-in-demand pirated software versions are uploaded and used as baits to prey on their target victims. These pirated software contents and attachments are then embedded with a highly contagious malware that easily spreads to other computers once opened.

Therefore, computer users are hereby advised not to visit such platforms and also to avoid opening emails and attachments from unrecognized sources. Some of these pirated software contents may seem attractive since they cost next to nothing to install, but they’re extremely dangerous and can lead to severe losses that far outweigh their benefit (if any). Instead of making use of them, computer users are better off getting the authentic versions from the original content producers or their authorized distributors.

They also prefer using popular data formats like JavaScript, PDF and MS Word, among others, because they can be easily embedded with malware. Aside from using such popular file formats, they also use inciting business terms like Invoice, Tracking Number, and Pending Payment, etc., to name these malicious files.

You should also be on the lookout for emails with spoofed addresses that are used in impersonating notable brands. Computer users that are careful enough may end up falling victim to these scams; therefore emails should be well scrutinized to ensure they’re from genuine sources before being opened. Nothing should be taken for granted and once something is out of place, it should be considered a red flag.

Websites claiming to offer STOP/DJVU ransomware online key decryption services should be ignored because there is a high chance they’re being used to further spread other types of ransomware or for extortion purposes.

Remove BYYA Ransomware/Decrypt Infected Files

It is time to remove BYYA ransomware virus if you haven’t already. An infected computer should be set up in Safe Mode with Networking before any attempt is made toward activating and running a good antivirus on it. The use of RESTORO in repairing damaged files is also recommendable.

Once the task of BYYA ransomware removal is accomplished, the following steps would need to be taken:

Inform relevant regulatory authorities.
Make use of your backup device in restoring encrypted files.
Research more on ways files encrypted by STOP/DJVU ransomware versions could be decrypted or repaired.
Passwords used in the compromised computer should be changed right away.

OUR GEEKS RECOMMEND

Our team recommends removing malware using a professional antivirus software and then using the following tool to repair virus damage to Windows system files:

REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

BYYA Ransomware Virus Removal Guidelines

Method 1. Enter Safe Mode with Networking

Step 1. Start Windows in Safe Mode with Networking

Before you try to remove BYYA Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.

Instructions for Windows XP/Vista/7 users

First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.

Instructions for Windows 8/8.1/10/11 users

Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.

Step 2. Remove files associated with the virus

Now, you can search for and remove BYYA Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.

Special Offer

DOWNLOAD AND SCAN

Compatibility: Microsoft Windows
See Full Review

RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically.

Step 1. Boot Windows in Safe Mode with Command Prompt

Instructions for Windows XP/Vista/7 users

Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.

Instructions for Windows 8/8.1/10/11 users

Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.

Step 2. Start System Restore process

Wait until system loads and command prompt shows up.
Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
Click Yes to begin the system restoration process.

After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt BYYA files

Fix and open large BYYA files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

Create a copy of encrypted file to a separate folder using Copy > Paste commands.
Now, right-click the created copy and choose Rename. Select the BYYA extension and delete it. Press Enter to save changes.
In the prompt asking whether you want to make the changes as file might become unusable, click OK.
Try opening the file.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. BYYA Ransomware Virus is considered the new STOP/DJVU variant, just like XCVF, SIJR, EGFG, BBNM, IFLA, KRUU, BYYA (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.

Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.

In order to test the tool and see if it can decrypt BYYA files, follow the given tutorial.

Download the decryption tool from Emsisoft.
Click the little arrow next to your download and choose Show in Folder.
Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
In UAC window, click Yes.
Click Yes to agree to software terms in both windows.
The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work.
Click Decrypt to start restoring BYYA files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.

Meanings of decryptor's messages

The BYYA decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:

Error: Unable to decrypt file with ID: [example ID]

This message typically means that there is no corresponding decryption key in the decryptor's database.

No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible

This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.

Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.

If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your BYYA extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Report Internet crime to legal departments

Victims of BYYA Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.
In Australia, go to the SCAMwatch website.
In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
In Ireland, go to the An Garda Síochána website.
In New Zealand, go to the Consumer Affairs Scams website.
In the United Kingdom, go to the Action Fraud website.
In Canada, go to the Canadian Anti-Fraud Centre.
In India, go to Indian National Cybercrime Reporting Portal.
In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.

Another recommendation is to contact your country's or region’s federal police or communications authority.

Frequently Asked Questions

✓ How can I open .BYYA files?

You can only open BYYA files if you have the decryption key, or if you were affected by offline encryption type.

✓ How do I know if my files were encrypted with offline or online encryption?

To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.

✓ My files contain very important information (family memories). Every tool I used says it is impossible to decrypt. What should I do?

Please follow the guidances provided by the official BYYA decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).

✓ I am afraid virus is still in my computer system. What should I do?

We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.

✓ I saw several Youtube videos suggesting secret decryption tools. Can I trust them?

Beware of fake BYYA decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.