A new variant of the infamous GlobeImposter ransomware has popped up on the malware scene. Called Bepabepababy, the newest member of the vicious ransomware family is designed to wreak havoc and extort payments from its innocent victims.
Upon infiltrating a device, Bepabepababy scans the system for user-generated files. The virus targets files that could contain valuable information, such as databases, presentations, documents, and archives.
Bepabepababy will follow a simple renaming pattern. It will keep the original file name and extension, but it will also append its operators' email address, including it in the file name. For example, an archive called "Invoice.rar" will be renamed to "Invoice.firstname.lastname@example.org."
Upon completing the encryption operation, Bepabepababy will create an HTML file called "how_to_back_files.html," which contains a ransom-demanding message.
Ransom Note Text: “YOUR PERSONAL ID--- ENGLISH YOUR FILES ARE ENCRYPTED! ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. Don't worry, you can return all your files! All your files like photos, databases, documents, and other important are encrypted with the strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. To recover data you need a decryptor. To get the decryptor you should: Attention!
“YOUR PERSONAL ID---
YOUR FILES ARE ENCRYPTED!
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.
Don't worry, you can return all your files! All your files like photos, databases, documents, and other important are encrypted with the strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files.
To recover data you need a decryptor.
To get the decryptor you should:
Bepabepababy's ransom note informs the victim that their data is not permanently lost and that a decryption tool is available for a price.
However, instead of naming the decryption price, Bepabepababy instructs the victim to create a Protonmail account. Victims are told to use their new email account to contact the threat operators via either the email@example.com or firstname.lastname@example.org email address.
Victims are cautioned not to waste time because the only decryption key capable of recovering their files will be stored on the criminals' server for a limited time.
Additionally, victims are warned that their data will be leaked online if they refuse to pay. The note, however, doesn't specify where the stolen data will be published.
Sadly, there are no alternative decryption tools for Bepabepababy ransomware. However, experts recommend against involving the threat operators.
Victims are warned that they are dealing with experienced manipulators who know how to lure their victims into doing things best avoided.
Ransomware operators often ignore their victims once the ransom is paid. Furthermore, these individuals usually "rent" ransomware services from other criminals. The threat operators usually lack the technical skills to help their victims when an issue pops up.
Victims can use backups stored on external devices to recover their files. Of course, the ransomware must be removed before any external device is connected to the host machine. Otherwise, Bepabepababy will spread its corruption to the backup device and corrupt the data saved on it.
Although many ransomware threats are deployed in targeted attacks, Bepabepababy relies on classic distribution tricks. The ransomware uses emails, corrupted links, fake updates, and malicious installers. In more rare cases, trojan horses could also drop the threat as second-stage malware.
Experts explain that most cyber infections are caused by no one else but the victims themselves. Criminals lay various traps and wait for naive users to fall into them. The good news is that good cyber hygiene can prevent these tricksters from succeeding.