Bec Ransomware

The main goal of the Bec Ransomware is to infect user and corporate computers and encrypt the data stored there. The attackers will then try to extort money from the victims by using a double-extortion scheme. First, they will take the locked files as 'hostages' and promise to return them to their normals states only upon being paid a hefty ransom. Second, the cybercriminals also claim to collect important private or confidential data prior to the encryption of the files. The Bec Ransomware has been confirmed to be a new malware variant based on the Sojusz Ransomware threat.

As part of its actions, the Bec Ransomware will heavily modify the original names of the encrypted files. It will add to them a string of random characters, followed by an email address belonging to the hackers, and, finally, a new file extension. The email address is 'beacon@jitjat.org' while the file extension is '.bec.' The ransom note with instructions from the hackers will be delivered to the victim's machine as a text file named '!!!HOW_TO_DECRYPT!!!.txt.'

Ransom Note's Overview

According to the note, Bec Ransomware uses a combination of three strong cryptographic algorithms and ciphers - AES-256, RSA-2048, and CHACHA. The attackers also state that they are willing to demonstrate their ability to restore the locked data by decrypting 3 small files. However, the chosen files should not contain any valuable information. 

To initiate contact, victims are told that they will need to message both of the email addresses found in the note. One is the same address as the one added to the names of the affected files, while the second email is 'beacon@msgsafe.io.' According to the note, victims have 3 days to contact the hackers. After that period is over, the stolen data will be released to the public on the Darknet. 

The full ransom note dropped by Bec Ransomware is:

'All your valiable data has been encrypted!

Hello! Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.

All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.

Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.

We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.

We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.

As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.

If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours

we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.

This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases

to interested parties to generate some profit.

Please understand that we are just doing our job. We don't want to harm your company.

Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,

please don't try to fool us.

-

If you want to resolve this situation, please write to ALL of these 2 email addresses:

* beacon@jitjat.org

* beacon@msgsafe.io

In subject line please write: |your MachineID:

------------------------------|and LaunchID:

Important!

* We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.

* Our message may be recognized as sp'