Two cybersecurity firms Avast and Emsisoft have released free decryptors for BigBobRoss on March 10, 2019. The decryptors help victims infected with the BigBobRoss ransomware to recover their files without paying the ransom demand.
The big picture
A security researcher from Emsisoft named Michael Gillespie noted that BigBobRoss ransomware was first spotted on January 14, 2019, and since then has been silently infecting victims.
Gillespie noted that he spotted the ransomware when some victims attempted to identify the ransomware via ID-Ransomware. ID-Ransomware is a service developed by Gillespie which helps victims identify the ransomware that infected their computers.
Gillespie revealed that the ID-Ransomware received 25 submissions from BigBobRoss victims across 6 countries. However, the number of victims could be higher as not all victims use ID-Ransomware service.
Furthermore, how the ransomware propagates and infects victims still remains unknown.
Contents of the ransom note
BigBobRoss ransomware creates a ransom note name ‘Read Me.txt’ which contains the following text.
“Hello, dear friend! Your files are NOT damaged! Your files are modified only. The only way to decrypt your files is to receive the decryption program. Your files cannot be decrypted without the special program we made it for your computer. To receive the decryption program write to our email ‘BigBobRoss@computer4u[.]com’ and tell us your unique ID,” the ransom note read.
“Free decryption as guarantee. We guarantee the receipt of the decryption program after payment. To believe, you can give us 1 file that must be less than 1MB and we decrypt it for free. Files should be important to you! databases, backups, large excel sheets, etc. The easiest way to buy bitcoins is localBitcoins site. You have to register, click ‘buy bitcoins’ and select the seller by payment method and price,” the ransom note adds.
The ransom note also warned victims to not change the name of the files or file extensions if the files are important to them.
Encrypted files' extension - Once the BigBobRoss infects target devices, the files are encrypted and appended with .obfuscated extension. However, the ransomware doesn't actually obfuscate files but encrypts them with an AES-128 ECB algorithm.