Bmo Ransomware
It appears that the Dharma Ransomware family is still retaining a certain portion of popularity among cybercriminal circles. Indeed, infosec researchers have caught a new potent Dharma variant that is threatening users' computers. The threat is tracked as the Bmo Ransomware and it can cause massive damage to the compromised devices.
By employing an uncrackable cryptographic algorithm, the attackers are able to lock the victim's files effectively. Affected users who wish to regain access to their precious personal or crucial work-related information are extorted to pay a ransom to the attackers, in exchange for receiving the necessary decryption keys.
Technical Details
The Bmo ransomware can encrypt documents, PDFs, archives, databases, pictures, photos, audio, and video files, and many other file extensions. Each locked file will be marked via a significant modification of its original name. First, the Bmo Ransomware will append a specific ID string that is unique for each victim. Then, the threat includes an email address (buymeout@onionmail.org) that is controlled by its operators. Finally, '.bmo' will be added as a new file extension. After all targeted files on the system have been locked, the malware will proceed to create two ransom notes. One will be placed inside text files named 'info.txt,' while the other will be presented to the victim as a pop-up window.
Ransom Notes Overview
The message found in the text file is extremely brief and lacks any meaningful details. It simply urges Bmo Ransomware's victims to contact the attackers via the 'buymeout@onionmail.org' and 'buymeout@msgsafe.io' email dresses. The actual instructions from the attackers are shown in the pop-up window. The ransom note there clarifies that the secondary email should be used in case victims do not receive an answer within 12 hours after messaging the main email. The second half of the note consists of numerous warnings.
The message delivered via the 'info.txt' file is:
'all your data has been locked us
You want to return?
write email buymeout@onionmail.org or buymeout@msgsafe.io'
The pop-up window instructions are:
YOUR FILES ARE ENCRYPTED
'1024
Don't worry, you can return all your files!
If you want to restore them, write to the mail: buymeout@onionmail.org YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:buymeout@msgsafe.ioATTENTION!
We recommend you contact us directly to avoid overpaying agentsDo not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
