BuSaveLock Ransomware Will Encrypt Your Files

Our research team recently discovered a ransomware variant called BuSaveLock, which belongs to the MedusaLocker family. Its primary objective is to encrypt files and demand payment in exchange for decrypting them. Additionally, BuSaveLock incorporates a ransom note ("How_to_back_files.html") and modifies file names.

To rename files, BuSaveLock adds a specific number along with the ".busavelock" extension to the original filenames. The number within the extension varies depending on the particular variant of BuSaveLock. For instance, a file originally named "1.jpg" would be changed to "1.jpg.busavelock53," while "2.png" would become "2.png.busavelock53," and so on.

The accompanying ransom note informs the victim that all crucial files have been encrypted using RSA and AES encryption methods. It strongly advises against attempting to restore the files using third-party software, as it claims that such attempts would permanently corrupt the files. Furthermore, the note instructs victims not to modify or rename the encrypted files.

The ransom note boldly asserts that no software available on the internet can assist in resolving the issue, emphasizing that the attackers possess the exclusive ability to decrypt the files. It further states that the attackers have gained access to highly sensitive and personal data, which is currently stored on a private server. If the victims refuse to pay, the attackers threaten to make the data public or sell it to other parties.

As a demonstration of their ability to restore the encrypted files, the note mentions that the cybercriminals offer to decrypt 2-3 non-important files free of charge. The note provides contact details for communication, including two email addresses: ithelp11@securitymy.name and ithelp11@yousheltered.com.

The ransom note concludes with a warning that failure to contact the attackers within 72 hours will result in an increased price for the decryption software.

BuSaveLock Ransom Note Threatens to Leak Stolen Info

The full text of the BuSaveLock ransom note reads as follows:

YOUR PERSONAL ID:

YOUR COMPANY NETWORK HAS BEEN PENETRATED
All your important files have been encrypted!

Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

Contact us for price and get decryption software.

email:
ithelp11@securitymy.name
ithelp11@yousheltered.com

• To contact us, create a new free email account on the site: protonmail.com
  IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

How Can Ransomware Like BuSaveLock Infiltrate Your System?

Ransomware like BuSaveLock can infiltrate your system through various methods, including:

Email attachments: One common method is through malicious email attachments. Hackers disguise ransomware as innocent-looking files, such as documents or PDFs, and send them as email attachments. If you unknowingly open and download the attachment, the ransomware gets executed on your system.

Malicious links: Ransomware can also be distributed through phishing emails or messages that contain links to infected websites. Clicking on these links can lead to the download and execution of ransomware on your system.

Exploit kits: Cybercriminals may exploit vulnerabilities in outdated software or operating systems. By using exploit kits, they can automatically deliver ransomware onto your system when you visit compromised websites or click on malicious advertisements.

Malicious downloads: Ransomware can be hidden within seemingly harmless downloads from untrusted or compromised websites. This can include software cracks, key generators, or pirated content, where the ransomware payload is bundled with the intended download.

Remote Desktop Protocol (RDP) vulnerabilities: If your system has Remote Desktop Protocol enabled and is accessible over the internet with weak or compromised credentials, attackers can exploit these vulnerabilities to gain unauthorized access and install ransomware.

Malvertising: Malicious advertisements, also known as malvertisements, can appear on legitimate websites. These advertisements may contain malicious code that can trigger the download and installation of ransomware when clicked.

Drive-by downloads: Ransomware can also be distributed through drive-by downloads, which occur when you visit a compromised website that automatically downloads and executes the ransomware without your knowledge or interaction.