Home / Spyware Help / BDDY Ransomware Removal Guide

BDDY Ransomware Removal Guide

by 0 Comments

Do you know what BDDY Ransomware is?

If you make the mistake of letting BDDY Ransomware into your operating system, your files are quickly encrypted, and at that point, there is nothing you can do to get them back. As soon as our research team began analyzing this malware, we immediately scoured the web for working decryptors. In rare cases, malware researchers are able to build free decryptors, but, unfortunately, one that would work for the victims of Matrix Ransomware did not exist. This is the predecessor of Matrix-NEWRAR Ransomware, Matrix-EMAN Ransomware, Matrix-THDA Ransomware, and also BDDY. Although these infections share some similarities, it is important that we inspect them individually because we want to ensure that victims can delete this malware efficiently. If you continue reading, you will learn how to remove BDDY Ransomware.

Just like most threats of this caliber, BDDY Ransomware is likely to spread with the help of unsecured RDP channels. Bundled downloaders and spam emails could be exploited too. It is most important that the threat slithers in without notice because that is what ensures that it can drop files, create tasks, and, of course, encrypt files without disturbance. When we analyzed the threat, it dropped .bat and .bmp (image that changes the background) files with random names to the %APPDATA% directory. It also created a scheduled task to ensure that the .bat file was running at specific times. Unfortunately, this file was used to delete shadow volume copies, which means that users relying on system restore points to recover personal files after encryption were stuck. Hopefully, you have backups stored outside the computer, and you can replace the encrypted files once you delete BDDY Ransomware from your operating system.BDDY Ransomware Removal GuideBDDY Ransomware screenshot
Scroll down for full removal instructions

When BDDY Ransomware encrypts files, their names are changed completely to a string of random characters, and the “[Buddy@criptext.com].” prefix is also added at the front. So, for example, a file named “picture.jpg” can look something like “[Buddy@criptext.com].AcABnUOw-VKEL6a2V.BDDY” after encryption. Next to the corrupted files, a file named “#BDDY_README#.rtf” should be dropped by BDDY Ransomware. The message delivered using this file informs about encryption and instructs the victim to obtain a “specific automatic decryption tool.” To obtain it, the victim has to contact the attacker first, and there are three email addresses listed in the message: Buddy@criptext.com, Buddy888@protonmail.com, and buddy888@tutanota.com. If you do this, you should receive a response urging you to pay for the decryption tool, but if you pay for it, there are no guarantees that you will receive it. Therefore, we do not recommend contacting the attackers or paying the ransom.

We have mentioned that having backups of your personal files stored outside the computer is important. If you do not have backups, you have no options, but if you have backups, you can replace the corrupted files. Of course, you should do that only after you delete BDDY Ransomware from your system because you do not want any damage to be done to your backups. Do you have a plan on how you will remove the threat? If you think you know where the launcher file is, manual removal is possible. However, if you cannot find the file, we strongly advise using anti-malware software. It will remove BDDY Ransomware automatically. It is most important that this software will keep your system protected against ransomware and other kinds of malware in the future. Hopefully, after removal, you can replace the encrypted files with backups.

Remove BDDY Ransomware

  1. Delete the malicious .exe file that launched the threat (name and location of the file are random).
  2. Check every affected folder to find and Delete the ransom note file named #BDDY_README#.rtf.
  3. Simultaneously tap Win+E keys to launch Explorer and then enter %APPDATA% into the bar at the top.
  4. Delete a .bmp file with a random name and a .bat file with a random name.
  5. Enter %WINDIR%\System32\Tasks\ into the bar at the top of Explorer to find all tasks.
  6. Delete a task with a random name that you can confirm was set up by the ransomware.
  7. Empty Recycle Bin and then use a malware scanner to perform a thorough system scan.

In non-techie terms:

BDDY Ransomware is a sneaky infection that could slither into your operating system without any notice. Once inside, it encrypts files, and besides changing the data within, the infection also changes the names to make them unrecognizable. Unfortunately, free decryptors did not exist at the time of research, and system restore points could not be used as well. The attackers behind the threat suggest that they can offer a real decryptor, but trusting cybercriminals is a mistake, and so we do not recommend it. If you are prepared, all of your personal files are backed up online, and you can easily replace the corrupted files after deleting BDDY Ransomware. Eliminating this threat manually is not the easiest task, but some victims might be able to do it. Nonetheless, all victims of ransomware are advised to implement legitimate anti-malware software that can erase threats and also reinstate Windows protection at the same time.