BIDON has been identified as a ransomware threat. Ransomware is a category of threatening programs designed to encipher files and demand a ransom for their decryption. When a sample of BIDON is successfully executed on a system, it immediately begins encrypting files. Notably, the ransomware adds a '.PUUUK' extension to the filenames of the affected files. For instance, a file initially named '1.jpg' appeared as '1.jpg.PUUUK,' '2.png' as '2.png.PUUUK,' and so on.
Following the encryption process, the BIDON Ransomware generated a ransom note named 'readme.txt.' The content of this note reveals that the ransomware employs a double extortion strategy, where it not only encrypts files but also threatens to publish sensitive data if the ransom is not paid. Additionally, it appears that BIDON primarily targets large entities such as companies rather than individual home users. Further analysis has also indicated that BIDON is a new variant of the MONTI Ransomware family.
The BIDON Ransomware Locks a Wide Range of Data on Infected Devices
BIDON's ransom note delivers a clear message to the victim, stating that their data has been encrypted and emphasizing that recovery without the involvement of the attackers is impossible. The note explicitly warns against attempting manual decryption or using third-party recovery tools, as these actions may cause irreversible damage to the data.
To support their claims, the attackers offer a free decryption test on two files as proof that recovery is feasible with their assistance. However, they strongly urge the victim to establish immediate contact with them, implying that they possess sensitive information extracted during the infection. Refusal to communicate or seek help from recovery companies or authorities is discouraged, as the attackers threaten to publish the stolen content on their dedicated data-leaking websites.
Furthermore, the ransom note of the BIDON Ransomware highlights that communication with the attackers will be limited to authorized company personnel, indicating their preference for direct interaction with individuals who hold decision-making roles within the victim's organization.
Overall, the ransom note exhibits a clear and strategic approach, leveraging the fear of data loss and potential data exposure to coerce the victim into complying with the attackers' demands and engaging in communication with them as swiftly as possible. It underscores the urgency of the situation and the severity of the consequences if the victim does not cooperate.
Take Effective Security Measures to Protect Your Devices and Data
Protecting devices and data from ransomware attacks requires a multi-layered approach that combines preventive measures, proactive security practices, and user awareness. Here are some key security measures that users can implement to safeguard their devices and data:
- Install and Update Security Software: Use reputable anti-malware or endpoint security software to detect and block ransomware threats. Update your software regularly so it can have new virus definitions and security patches.
- Keep Operating Systems and Software Updated: Regularly update the operating system and all installed software, including Web browsers and plugins these. These updates will probably include security fixes that address vulnerabilities exploited by ransomware.
- Backup Data Regularly: Regularly back up all necessary files and data to an outside storage device or a cloud-based service. Even if your files are encrypted, you can restore them from a backup without paying the ransom.
- Use Cautious with Attachments and Links: When opening email attachments or clicking on links, PC users need to be extra cautious, especially from unknown or suspicious sources. Ransomware often spreads through phishing emails, so be wary of unexpected messages.
- Use Strong Passwords and Multi-Factor Authentication (MFA): Use strong, unique passwords for all your accounts and enable MFA wherever possible. MFA will include an extra layer of security, making it harder for attackers to compromise your accounts.
- Disable Macros in Office Documents: Ransomware may be delivered through malicious macros in Office documents. Disable macros by default and only enable them when necessary.
- Educate and Train Users: Educate all users on ransomware risks and best practices for avoiding and responding to potential threats. Regular security training can help users recognize suspicious activities and potential phishing attempts.
By following these security measures and staying vigilant, users can lower the risk of falling victim to ransomware attacks \significantly and protect their devices and valuable data from exploitation.
The full text of the ransom note left on devices infected by BIDON Ransomware is:
'All of your files are currently encrypted by BIDON strain. If you don't know who we are - just "Google it."
As you already know, all of your data has been encrypted by our software.
It cannot be recovered by any means without contacting our team directly.
DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,
if you want to try - we recommend choosing the data of the lowest value.
DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond.
So it will be better for both sides if you contact us as soon as possible.
DON'T TRY TO CONTACT feds or any recovery companies.
We have our informants in these structures, so any of your complaints will be immediately directed to us.
So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately.
To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first hxxps://torproject.org)
Also visit our blog (via Tor):
YOU SHOULD BE AWARE!
We will speak only with an authorized person. It can be the CEO, top management, etc.
In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company!
Inform your supervisors and stay calm!