BugWare virus - How to remove

BugWare ransomware virus is one of the few crypto-malware example that require ransoms to be paid in Monero crypto-currency. We have only observed a couple of ransomware infections that make demans for Monero. Those samples include Kirk, eBayWall and OhNo! ransomware viruses.

BugWare crypto-virus is delivered via doc_2017100200000-15.pdf.exe (VirusTotal scan) payload which is going to be responsible for many modifications in an operating system, mostly preparations for file-encryption. PDF files have been frequently chosen to deliver ransomware infections or other malware. Therefore, be extremely careful with email attachments of this type.

BugWare crypto-malware encrypts files and features a screen-locker

BugWare ransomware

Also, the file is called Brazilian ransomware BugWare which also refers to the fact that Brazilian and Portuguese-speaking users are going to be targeted. However, this would mean that the virus would have to check the language preferences or obtain geo-locations of potential victims. No .html or .txt files are appended as the ransom notes. Instead, infection features a screen-locker that provides most of the information. It is difficult to deny that ransomware infections are improving and becoming more frightening (Ransomware threat escalating, warns Europol).

Screen-locker contains information about the successful encryption of personal files and databases after strong 256-bit key algorithms were applied. The decryption key is explained to be encoded with RSA-2048. Hackers are waiting for victims’ letters in a [email protected] account. According to them, people can send their payments via bitcoin system instead of Monero (Trade Recommendation: Monero). We guess the only they care about is getting the money. To pay the demanded ransoms, users only have 72 hours. After this time passes, victims’ files will be permanently deleted. After reading these threats, users might be more willing to pay the demanded fees for decryption.

Authors of BugWare crypto-virus might not even be capable of encrypting users’ files. This might occur because hackers did not even have the slightest intention of helping victims recover data. In other cases, the keys/software for decryption they provide might not even be functional. The name of this ransomware could be explained by the fact that it contains a picture of a bug and ads a .[[email protected]] .BUGWARE extension to encrypted data.

Bugware virus

What are the possible file-decryption options?

For now, there is no special tool to reverse the damage of encryption. However, you could try using universal file-recovery tools and they might work to some extent. Sadly, no promises can be made. In addition to this option, you could try recovering data via Shadow Volume Copies. However, most of the new ransomware infections are programmed to automatically delete these alternatives. Of course, the best option would be to remove the ransomware and retrieve files from a backup storage. However, this option is not always available. Why? Its users’ fault.

Even though we emphasize the importance of backup storages, rarely people listen to our suggestions. In fact, it is very possible that the majority of people only keep their digital data in hard drives. This is exactly what hackers are expecting. If more people avoid adapting to the new dangers in the cyber world, chances of receiving ransoms increases. We hope you will find this informative and hurry up to upload files into alternative locations.

How is ransomware transmitted?

There are more than one option for hackers to distribute crypto-malware. One of the most popular techniques is to deliver deceptive email letters to users. They usually contain attachments or URLs. In this case, BugWare has selected to be transmitted .pdf file. In addition to this, improperly protected RDP can also be the reason for ransomware infiltration (or basically any other threat).

If you wish to be secured from malware viruses, we advise you to choose a powerful anti-malware tool to protect you from harm. You can select Spyhunter to help you out. Run regular scans to see whether your operating needs some assistance.

How to recover BugWare virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before BugWare virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of BugWare virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to BugWare virus. You can check other tools here.  

Step 3. Restore BugWare virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually BugWare virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover BugWare virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *