Need Help! BGTX ransomware victim

[anchit02]

Hello,

Today I've noticed that majority of all the files in the computer has been locked and its extension changed to BGTX. I understand that its a ransomware attack so I was wondering how to fix this and resolve this issue. I've googled BGTX malware/ransomware but I got hits on very sketchy sites, that looks like it always wants to download some automatic tool. Can any one please help?

All machines on my network are affected, 2 machines are running win 7 X64 and one is on win 10 X64

 

[cherry blossoms]

I believe this is a CrySIS/Dharma variant from preliminary reports I have seen. SOME CrySIS variants (not all) have their decryption keys available You may be able to recover your files in the future if keys for this variant are publicly released.

 

[anchit02]

Thanks for your reply, any ideas where I can find the decryption key or program? Also, how to stop the malware from spreading?

 

[anchit02]

Update: I'm using Avast Anti-Virus free version (Program version: 18.6.2349 / Virus definition version: 181005-0) and I've run a Full Virus Scan and a Boot-Time Scan, and it reported no viruses. But My computer is now filled with all "bgtx"files. All Zip, Doc, xls, and many exe files.

 

[mdd1963]

As this ransom-trash variant has already shown that it will spread, I'd nuke and pave all current systems infected, and be done with it.

 

[USAFRet]

Update: I'm using Avast Anti-Virus free version (Program version: 18.6.2349 / Virus definition version: 181005-0) and I've run a Full Virus Scan and a Boot-Time Scan, and it reported no viruses. But My computer is now filled with all "bgtx"files. All Zip, Doc, xls, and many exe files.

2 issues:

1. Remove the virus

2. Decrypt your files


As #2 is the actual important thing, and I've seen zero decryption details in the wild...#1 is irrelevant.
Removing the "malware" does not decrypt your files.

Wipe and reinstall the OS, and recover your documents from your backup.
If you don't have a good backup from before this happened...you're pretty much out of luck.

 

[anchit02]

Hello USAFRet,
Thank for your reply. I do have images of all my disk from before the attack and I've tried restoring from those images. I'll explain my situation with a little more detail here:

Got 3 PCs on the network, 2 Win 7 x64 machines and 1 Win 10 x64 machine. The 2 Win 7 machines are completely filled with this "bgtx" virus, and only a few folders are affected on the Win 10 PC. The Win 10 PC acts like a backup file storage server that keeps all the backups of the other 2 PCs using a Aomei Backupper software that I use to make schedules disk backs.

What I've tried so far:
1) Unplugged all the 3 computers from the network so they dont spread to each other.
2) Ran antivirus scans using AVAST and windows defender on all 3 PCs locally, and NO virus/malware were detected, even though the 2 Win 7 PC are full of this "bgtx"files
3) Formatted all dirks drives of PC1 running windows 7 x64 and restored from the backup image of the drives from the Win 10 PC. I've restored images made before the attack (attack happened on 3rd October 2018 at 3:09am); so I'm restoring from images made on 28th Sept 2018.

Here is the tricky part, on PC1, after all the drives are restored, I can see that all the files are normal and no files have the 'bgtx"extension and all is working normally. But it only stays to work like that for a day or two. During these 2 days, the virus comes back to PC1 and corrupts all the files again. Please note that during these 2 days, PC1 is completely offline, all network cables are physically unplugged from the ports and the PCs have no Wifi.

During this time, I've kept the other PCs on the network turned off. So, Where is this virus coming from even after I do a clean restore from my images? And how to I get rid of this thing?

I'm not worried about decrypting the files, because the backup images have all my original data safely stored, which btw is also offline and not connected to any PC at the moment.

Any suggestions?

 

[USAFRet]

For a system that is actually offline, a reinfestation has to come from somewhere inside.

 

[anchit02]

Yes. I understand that. Now, what I need help with is any program that will detect and remove the virus/malware. Dont care about the decryptor now. Any suggestions?

 

[USAFRet]

Yes. I understand that. Now, what I need help with is any program that will detect and remove the virus/malware. Dont care about the decryptor now. Any suggestions?

A clean install of the OS, from known good install media.
Apparently, your backups are compromised.

Full wipe and reinstall.