Cyber threat analysts discovered a new variant of ransomware which named ‘Brusaf virus‘. It appends the .brusaf file extension to encrypted file names. Here’s everything you need to know about this ransomware, how to remove ‘Brusaf file virus’ and how to restore (decrypt) encrypted personal files for free..
Files encrypted by .brusaf virus
The Brusaf file virus is developed to encrypt files on the computer. It belongs to the list of ransomware. Such as other ransomware, it is able to lock files like movies, archives, documents, web application-related files, photos, drawings and databases, and other files that are important to the victim and stop the operation of which is unacceptable to him. The victim will not be able to open them even if he tries to do it through various programs. Brusaf ransomware virus locks up almost of files, including common as:
.forge, .odp, .srw, .wmo, .wbz, .mp4, .vtf, .wsd, .svg, .js, .ncf, .itl, .raw, .mdbackup, .qic, .xpm, .bkp, .xmmap, .ysp, .itm, .bay, .qdf, .cdr, .mov, .xyw, .cer, .sidn, .rar, .re4, .raf, .3dm, .xlsb, .tax, .xf, .z3d, wallet, .r3d, .wps, .wot, .1st, .xlsx, .dba, .pdd, .csv, .2bp, .vdf, .jpg, .dcr, .wbm, .z, .png, .m3u, .wpd, .apk, .wbmp, .vpk, .zdb, .xml, .css, .vpp_pc, .hkdb, .rwl, .wire, .hkx, .mrwref, .jpe, .wp5, .srf, .kf, .yml, .x3f, .vcf, .zip, .sid, .wdb, .fsh, .ltx, .wbd, .xll, .mddata, .esm, .bik, .t12, .das, .epk, .rim, .mlx, .wpd, .wpg, .kdc, .crt, .p12, .wotreplay, .fpk, .bar, .wma, .webdoc, .wps, .wma, .xy3, .wpl, .ff, .rw2, .mpqge, .xdl, .sum, .xbplate, .rofl, .mcmeta, .gho, .xyp, .zip, .wdp, .wbk, .wcf, .hplg, .wn, .wav, .pak, .blob, .t13, .vfs0, .m2, .xlsm, .doc, .dmp, .arw, .wbc, .xls, .wsc, .odb, .nrw, .3fr, .xbdoc, .pkpass, .x3f, .wpa, .ntl, .xlk, .lrf, .wpb, .wp4, .0, .dazip, .fos, .wpe, .asset, .pst, .layout, .wmf, .sav, .eps, .arch00, .iwi, .docx, .x3d, .txt, .sql, .sie, .der, .ai, .cas, .wp7, .flv, .xdb, .zif, .w3x, .pptx, .cfr, .crw, .pfx, .xlsx, .litemod, .mdf, .xld, .odc, .bsa, .wmv, .menu, .erf, .wb2, .wpw, .webp, .bc7, .rgss3a, .zabw, .db0, .iwd, .7z, .dwg, .docm, .mef, .m4a, .psd, .p7b, .upk, .avi, .pef, .big, .p7c, .ods, .wsh, .snx, .x, .wp, .pem, .mdb, .d3dbsp, .ws, .wri, .sb, .wmv, .dxg, .odt, .wpt, .xar, .syncdb, .accdb, .desc, .xlgc, .gdb, .xxx, .wgz
All files which are encrypted with Brusaf virus receive the .brusaf extension, which allows victims to identify the cause of the problem that caused their work to stop. Each user whose computer has been subjected to the Brusaf virus attack, receives a ransom message from fraudsters, which indicates the amount of money for which they are willing to provide the victim with a unique code key and a decryption tool to unlock the encrypted documents, photos and music.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-p1HwbAuGCw Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: gorentos@bitmessage.ch
Threat Summary
| Name | Brusaf |
| Type | Crypto virus, File locker, Crypto malware, Ransomware, Filecoder |
| Encrypted files extension | .brusaf |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Encrypted photos, documents and music. Your documents, photos and music now have new extensions that end with something like .brusaf. Your file directories contain a ‘ransom note’ file that is usually a .txt file. |
| Distribution methods | Unsolicited emails that are used to deliver malware. Exploit kits (cybercriminals use ransomware virus packaged in an ‘exploit kit’ that can find a vulnerability in Windows operating system, Web browser, Adobe Flash Player, PDF reader). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a misleading link). Torrent web-pages. |
| Removal | To remove Brusaf ransomware use the removal guide |
| Decryption | To decrypt Brusaf ransomware use the steps |
In the steps below, I have outlined few methods that you can use to remove Brusaf ransomware from your machine and restore .brusaf files from a shadow volume copies or using file restore software.
Quick links
- How to remove Brusaf ransomware virus
- How to decrypt .brusaf files
- How to restore .brusaf files
- How to protect your PC system from Brusaf crypto malware?
How to remove Brusaf ransomware virus
Manual removal does not always allow to completely uninstall the Brusaf crypto virus, as it is not easy to identify and remove components of ransomware virus and all malicious files from hard disk. Therefore, it is recommended that you run malware removal utility to completely uninstall Brusaf crypto virus off your PC. Several malicious software removal tools are currently available that can be used against the crypto malware.
How to remove Brusaf ransomware virus with Zemana Anti-Malware
Zemana Free is a malware scanner that is very useful for detecting and removing Brusaf crypto malware. The steps below will explain how to download, install, and use Zemana Anti-Malware (ZAM) to scan your machine and remove ransomware, malicious software, worms, adware, spyware, trojans for free.
Now you can set up and use Zemana Anti-Malware (ZAM) to remove Brusaf virus from your web browser by following the steps below:
Please go to the following link to download Zemana Anti Malware (ZAM) installer called Zemana.AntiMalware.Setup on your PC system. Save it on your Microsoft Windows desktop.
164987 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Run the setup file after it has been downloaded successfully and then follow the prompts to install this utility on your PC.
During setup you can change some settings, but we recommend you don’t make any changes to default settings.
When installation is finished, this malware removal utility will automatically start and update itself. You will see its main window as displayed on the image below.
Now click the “Scan” button . Zemana utility will begin scanning the whole system to find out Brusaf crypto malware and other security threats. This process can take quite a while, so please be patient. When a malicious software, adware or PUPs are found, the count of the security threats will change accordingly.
After the scan is finished, you’ll be shown the list of all detected threats on your computer. In order to remove all threats, simply click “Next” button.
The Zemana will remove Brusaf ransomware virus, other kinds of potential threats such as malicious software and trojans and add items to the Quarantine. When finished, you can be prompted to restart your system to make the change take effect.
How to decrypt .brusaf files
With some variants of Brusaf file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Brusaf decryption tool named STOPDecrypter. It can decrypt .Brusaf files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Brusaf decryption tool
STOPDecrypter is a program that can be used for Brusaf files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Brusaf files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Brusaf files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .brusaf files
In some cases, you can restore files encrypted by Brusaf ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover .brusaf encrypted files using Shadow Explorer
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Visit the page linked below to download the latest version of ShadowExplorer for Microsoft Windows. Save it on your Desktop.
439626 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Double click ShadowExplorerPortable to start it. You will see the a window as on the image below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as on the image below.
Restore .brusaf files with PhotoRec
Before a file is encrypted, the Brusaf crypto malware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file recover programs such as PhotoRec.
Download PhotoRec on your Windows Desktop by clicking on the following link.
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as shown on the screen below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted files as displayed on the image below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed in the following example.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from Brusaf crypto malware?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your computer from Brusaf crypto virus
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the following page to download the latest version of HitmanPro Alert for Windows. Save it directly to your MS Windows Desktop.
After the downloading process is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the tool is launched, you’ll be shown a window where you can select a level of protection, as displayed on the screen below.
Now click the Install button to activate the protection.
