Bmtf Ransomware

Bmtf Ransomware is a threat from the Crysis Ransomware family. The malware encrypts files with a robust encryption algorithm, marks them with a unique second extension, and opens a window with a ransom note. Encrypted data becomes unreadable and cannot be opened even if you manage to erase the second extension. According to the threat’s ransom note, the only way to get files back is to contact hackers via email. Hackers will most likely ask to pay a ransom and promise to send decryption tools afterward. We advise not to do so as there are no guarantees that cybercriminals will hold on to their end of the deal. Also, we recommend removing Bmtf Ransomware because it could still be dangerous, not to already encrypted data, but to files that you might yet create. You can learn more about the malicious application and its deletion if you read the rest of this article.

One of the things we would like to discuss first is where Bmtf Ransomware could come from. Usually, such malicious applications are spread through spam emails, unreliable file-sharing web pages, pop-ups, and so on. To put it simply, the malware could masquerade as any file and could be spread through various sources. This is why, we advise users who want to avoid such malicious applications to be cautious when they download and receive files from the Internet. If you find a file suspicious, know that it is coming from an unknown sender or an unreliable source, or simply are not entirely sure that it is safe, we advise scanning it with a reliable antimalware tool that could tell if the file is dangerous or not. Keep in mind that infected files can look like harmless documents, updates, and pictures, so you should never let your guard down.

Once Bmtf Ransomware gets in, it should start creating files that it needs to settle in. Our researchers say that, like other threats from the Crysis family, the infection may place copies of its launcher in %WINDIR%\System32, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup, and %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup directories. Additionally, the malware might create a couple of Registry entries in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run location. The threat needs these files so that it could relaunch with the operating system after a user restarts his computer. Plus, it makes it more difficult to erase it. After creating the mentioned data, Bmtf Ransomware should start encrypting pictures, various documents, and other personal files that victims might hold valuable.

Encrypted files should be marked with a second extension that ought to contain a unique user ID, for example, file.jpg.id-6C7E496A.[dfgkbtprz@aol.com].bmtf. Next, Bmtf Ransomware ought to create a text file titled FILES ENCRYPTED.txt and a file named Info.hta that should have a few copies. The .txt file opens a text document with a short note that suggests contacting hackers via email. The .hta file opens a pop-up window that contains a slightly longer note, which says that users should not worry and that they can restore their files if they contact Bmtf Ransomware’s creators via one of the given email addresses.

The pop-up window with Bmtf Ransomware’s ransom note does not say anything about paying a ransom, but it mentions that looking for decryption tools anywhere else would cost more than contacting the note’s authors. Thus, it is likely that users who contact them will be asked to pay for decryption tools. As said earlier, we advise against it as you cannot know if the hackers will hold on to their end of the bargain. In other words, they might not deliver the promised decryption tools but take your money anyway. Also, we mentioned earlier that leaving the malware on a system could be dangerous to files that you might yet create. That is because the threat can relaunch with the operating system, which means it might start the encryption process again. To prevent this from happening, we recommend erasing Bmtf Ransomware with a reliable antimalware tool of your choice. You could also try the removal instructions located below.

Restart the computer in Safe Mode

Windows 8/Windows 10

1. Press Win+I for Windows 8 or open Start menu for Windows 10.
2. Click the Power button.
3. Tap and hold Shift, then click Restart.
4. Pick Troubleshoot and choose Advanced Options.
5. Go to Startup Settings and click Restart.
6. Click F5 and restart the PC.

Windows XP/Windows Vista/Windows 7

1. Go to Start, select Shutdown options, and pick Restart.
2. Click and hold F8 when the PC starts restarting.
3. Select Safe Mode with Networking.
4. Press Enter and log on.

Remove Bmtf Ransomware

1. Click Win+E.
2. Find these paths:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
3. Locate the malicious application’s launcher (some suspicious file downloaded before the infection appeared).
4. Right-click it and select Delete.
5. Find these locations:
   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
   %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
   %WINDIR%\System32
   %APPDATA%
6. Locate files called Info.hta, right-click them and select Delete.
7. Find these specific Startup directories:
   %WINDIR%\System32
   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
   %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
8. Find suspicious executable files, for example, file.exe; right-click them and choose Delete.
9. Exit File Explorer.
10. Press Win+R.
11. Insert Regedit and click Enter.
12. Find the given directory: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
13. Search for value names dropped by the threat, e.g., {random title}.exe, right-click them, and select Delete.
14. Exit Registry Editor.
15. Empty Recycle Bin.
16. Restart the computer.