How to Remove Bot Ransomware (+File Recovery)

How to Remove Bot Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

All FILES ENCRYPTED “RSA1024”
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL nmode@tutanota.com
IN THE LETTER WRITE YOUR ID, YOUR ID 1E857D00
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL:nmodes@aol.com
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Bot is yet another virus of the Dharma Ransomware family. It’s a menace that sneaks into your computer and corrupts your files. Pictures, music, databases, documents, archives – there are no immune files. .Bot encrypts your data with and restricts your access to it. You can still see the icons of your files, but you can’t view, nor edit them. Everything with the “.Bot” extension is under lock and key. The ransomware, of course, promises a solution. But not for free. This virus pushes its victims to pay an astonishing ransom within seven days. In a ransom note (a file dropped and opened by the virus), the malicious actors threaten that the individual decryption keys could be overwritten if the victims wait for too long. They also warn that third-party decryption tools could lead to data loss. Do not fall for their tricks! The criminals use basic scare tactics to push you into impulsive actions. Don’t give into naivety. Take the time to consider your options. You are dealing with experienced manipulators. These people promise a lot, but they rarely deliver.

How did I get infected with?

Fake updates, corrupted links, malicious bundles, pirated software – there are myriads of virus distribution methods. Ransomware such as .Bot, however, tend to rely on spam campaigns. That’s right, the good old spam emails are still the number one virus distribution trick. Their scheme, however, is more complicated then it used to be. The criminals use corrupted attachments that download the virus. Their files don’t perform suspicious activities, such as replacing or deleting files. Once you open them in “Editing” mode, however, a malicious script executes and downloads .Bot. Do not fall for the crooks’ tricks! Don’t make their job easier. Choose caution over carelessness. Your diligence can prevent infections. Only your actions can prevent infections. Treat all unexpected emails as potential threats. Whether it’s an instant message or email, always take a minute to verify the sender. If, for example, an organization sends you an unexpected email, go to their official website. Compare the email addresses listed there to the questionable one. If they don’t match, delete the pretender immediately. You can also enter the suspicious addresses into a search engine. Someone might have complained online if the email was used for shady activities.

Why is Bot dangerous?

Bot ransomware is a menace. It sneaks into your computer and wrecks everything. The virus locks your data and makes it inaccessible. You can create new files as the ransomware corrupts everything you save or download. .Bot makes your computer useless. It pushes you to pay the ransom. Don’t give in, though. Such actions will only encourage the malicious actors to continue with their criminal activities. Practice shows that the criminals tend to ignore their victims once they receive the money. There are cases when the victims paid just to be blackmailed for more. There are also instances when the victims received nonfunctional or partly functional decryption tools. What will you do if this happens to you? You can’t ask for a refund. You are dealing with criminals who demand cyber coins. No one can trace these currencies. Once you complete the transaction, there’s no going back. Don’t swing into action. Consider discarding your files. If you have backups saved on external devices, you can use them to restore your data. Just make sure that .Bot is completely removed before you attempt any such activities.

Bot Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Bot Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Bot encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Bot encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.