Ransomware - BigBobRoss

BigBobRoss

Aliases

Obfuscated

Cheetah

Decryptor Available

Yes

Description

BigBobRoss isn't as friendly as the name implies. This ransomware uses symmetric encryption in the form of AES-128-ECB and has several file extensions when encrypting files, including .obfuscated, .cheetah, .encrypted, .encryptedALL, and .djvu. The ransomware existed throughout almost all of 2019 and asked victims to contact the ransomware operators directly to decrypt files. Luckily, a public and free decryptor is available from Avast and Emsisoft.

Ransomware Type

Crypto-Ransomware

First Seen

January 2019

Last Seen

November 2019

Extortion Types

Direct Extortion

Communication(12)

Medium

Identifier

Email

[email protected]

Email

[email protected]

Email

[email protected]

Email

[email protected]

Email

[email protected]

Email

[email protected]

Email

[email protected]

Email

[email protected]

Email

[email protected]

Email

[email protected]

Telegram

@BigBobRoss

Telegram

@WilliGarcia

Encryption

Type

Symmetric

Files

AES-128-ECB

File Extension(6)

<file name>.obfuscated

[id=XXXXXXXX]<file name>.cheetah

[id=XXXXXXXX]<file name>.djvu

[id=XXXXXXXX]<file name>.encrypted

[id=XXXXXXXX]<file name>.encryptedALL

[id=XXXXXXXX]<file name>.obfuscated

Ransom Note Name

Encrypt Message.txt

How to recover your files.html

How to recover your files.txt

Read Me.txt

Ransom Note Image

BigBobRoss-RansomNote-2ACBA

Click to enlarge

BigBobRoss-RansomNote-90958

Click to enlarge

BigBobRoss-RansomNote-3E6DF

Click to enlarge

BigBobRoss-RansomNote-E49D7

Click to enlarge

BigBobRoss-RansomNote-2fec3

Click to enlarge

Samples (SHA-256)(7)

2fec3892efa6ad300ff1d5334875d94e0470bf1b4e71449b10221f790f5f2d3

5239b2ba5e23cf5aaa05c71d6d0e59ada232f68f091bc6e31cd57cc54e27650a

615df3284db695a629aa21a8f06d4d2a00c51659ca55effe283a76e3d361698a

9abf83adb634aa4ae2acaa96ce3c636e68e946cd13d69d08975ff8c2840991ca

b9c4412242f40a182b286f57ac0ee5d4e34cf60e467966406d66e31f2ef0c388

eb00e3c45cb698e44b087fd4646da69631ae88ba670d4d1507c7232040b10138

fb5ff9634c82e92bdcd153510abd9fd0186b97d20a76c30d31ebea51c6104ef4

Decryptors

Avast: BigBobRoss

Emsisoft: BigBobRoss

References & Publications(7)

BleepingComputer Forums: BigBobRoss (.obfuscated; Read me.txt) Ransomware Support Topic

BleepingComputer Forums: new version of BigBobRoss

BleepingComputer Forums: Unknown Ransomware .CHEETAH extension

Elastio: BigBobRoss

The Crypto-Ransomware Digest: BigBobRoss, Cheetah

Twitter | X: @demonslay335 - .encryptedALL & .djvu

Twitter | X: @demonslay335 - .obfuscated

Ransomware Tracker