Here’s some good news for users whose files have been encrypted by the BigBobRoss ransomware: both Avast and Emsisoft have released decrypters.

How do you know that you’ve been hit with BigBobRoss?

The ransomware gets its name from the email address included in the ransom note, which comes in a file named Read Me.txt.

Another indication that the user’s files have been encrypted by this particular malware is the .obfuscated extension added to the encrypted files. Also, according to Emsisoft, some variants also prepend the victim ID to the filename (e.g., ID.file.obfuscated).

It is currently unknown how the BigBobRoss ransomware is delivered/spread to victims. What is known is that it uses AES-128 ECB to encrypt files.

Decrypting the encrypted files

Avast’s decrypter can be found here, and Emsisoft’s here.

Emsisoft also warns users to make sure they remove the malware from their system before starting the decrypter – if they don’t, the malware will repeatedly encrypt the decrypted files.

“If your system was compromised through the Windows Remote Desktop feature, we also recommend changing all passwords of all users that are allowed to login remotely and check the local user accounts for additional accounts the attacker might have added,” they added in the instructions.

As a side note: the free online service ID Ransomware recognizes BigBobRoss by its ransom note, examples of encrypted files and the email address the ransomware gives victims for contact.

ID Ransomware, started nearly three years ago by Michael Gillespie, currently detects 694 different ransomwares.