What is BASS-FESS ransomware? And how does it execute its attack?
BASS-FESS ransomware, also known as BitchASS File Encryption System, is a new ransomware infection based on the open source platform, Hidden Tear. It is designed to take files hostage to extort money from its victims. This Hidden Tear variant was first observed on November 17, 2017. This crypto-malware is most likely to infiltrate a computer when a user opens a corrupted email attachment. Once the crypto-malware’s malicious payload is installed and executed into the system, BASS-FESS scans the entire computer drive looking for these file extensions:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
After it finds the files, it starts encrypting them using a combination of the AES and RSA encryption algorithm. It also adds the .basslock extension on every encrypted file which is added at the end of each file’s name. Following data encryption, it delivers a ransom note in a text file named BASS File Encryption Service Notice.txt that contains the following message:
“File Recovery Notice by BitchASS File Encryption System (BASS-FES)
Your files have been successfully encrypted and backed up in the cloud storage by BASS File Encryption System.
If you want to recover your files, please send 1 BTC to the following address:
If you sent 1 BTC to the address, email at [email protected] with your Bitcoin address.”
BASS FESS demands a ransom of 1 Bitcoin which is equivalent to $8,200 at the time of research. Victims are asked to transfer the ransom to the provided Bitcoin wallet address then send an email to [email protected] If you are one of these unfortunate victims of BASS-FESS ransomware, always keep in mind that paying the ransom is not recommended as you might end up losing more money and besides that doesn’t necessarily provide you some sort of guarantee that the crooks will give you the decryptor since they are not known to keep their promises. It would be better to focus on removing this ransomware first before you try other alternatives to recover your encrypted files.
How does BASS-FESS spread its malicious payload?
BASS-FESS was found to be spreading its malicious payload using corrupted email attachments. Developers of BASS-FESS used macro-enabled documents as an attachment to a deceptive email. When you open this kind of file, the macro scripts will run a command that installs BASS-FESS into the computer. In addition, BASS-FESS could also spread as a fake program or fake software update found on malicious websites. Thus, to avoid these malicious files keeping both your antivirus and system updated is recommended.
Kill BASS-FESS from your computer before the problems gets worse. To do so, follow the removal instructions below.
Step1. Open the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step2. Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to BASS-FESS ransomware.
Step3. After that, close the Task Manager.
Step4. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step5. Under the list of installed programs, look for BASS-FESS PDF.exe or BASS-FESS ransowmare or anything similar and then uninstall it.
Step6. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step7. Navigate to the following locations below and look for BASS-FESS ransomware’s malicious components such as BASS File Encryption Service Notice.txt as well as the corrupted macro-enabled document it came with and other suspicious files and then delete all of them.
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
Step11. Delete the registry keys and sub-keys created by BASS-FESS ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using their Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if BASS-FESS ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that BASS-FESS ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.