What is Bmtf file
The .[email@example.com].bmtf extension is a file extension that is used by the latest variant of the Crysis/Dharma ransomware to mark files that have been encrypted. Bmtf ransomware is a malicious program that encrypts user files and demands a ransom for a key-decryptor pair that is necessary to decrypt the affected files. It uses a strong encryption system and a long key, which virtually eliminates the possibility of decrypting files without a key. Files encrypted with .[firstname.lastname@example.org].bmtf extension become useless, their contents cannot be read without the key that the criminals have.
What is Bmtf ransomware virus
Bmtf ransomware is one of the variants of Dharma/Crysis ransomware. The most common source of infection is torrents files, freeware, cracked apps and games, Windows and Microsoft Office activators, and other similar software. Upon execution, it encrypts files using a key that is individual for each computer. Bmtf ransomware uses a very strong encryption system, which eliminates the possibility of determining the key, even using a super computer. The encryption process is very fast, regardless of what is in the file, the virus can easily encrypt it. Bmtf can encrypt almost all files that are on the computer, including those located on network drives. The only thing that the virus does not encrypt is the files that are necessary for the Windows OS to function normally. Below we list some types of files that can be encrypted by the ransomware:
.iwi, .webdoc, .vfs0, .3fr, .yml, .wpt, .bar, .hkdb, .xlk, .x, .rim, .wire, .arw, .wbd, .wav, .mp4, .wpg, .wps, .gho, .wp7, .xld, .wpa, .ff, .zif, .wb2, .wsd, .docm, .wp4, .ibank, .rar, .3dm, .mdf, .mef, .webp, .mlx, .mrwref, .xlsx, .erf, .lrf, .slm, .asset, .wsh, .wbk, wallet, .der, .1, .t12, .tax, .dxg, .pef, .xll, .fpk, .vdf, .re4, .xyp, .fos, .raf, .odm, .wdb, .wpb, .cdr, .iwd, .2bp, .epk, .wotreplay, .odt, .wm, .accdb, .xx, .css, .mpqge, .ppt, .cfr, .mdb, .wpe, .wbc, .cer, .hvpl, .xbplate, .mov, .zdb, .wmv, .m3u, .srw, .itdb, .kdc, .xlgc, .sav, .layout, .doc, .itl, .jpg, .xlsm, .zip, .pem, .wbz, .pptx, .wma, .map, .ysp, .ybk, .hkx, .sidd, .cr2, .xyw, .xbdoc, .py, .vpk, .rb, .dbf, .x3f, .rtf, .xmind, .sie, .gdb, .sb, .xdl, .wp, .wpw, .t13, .xls, .x3d, .das, .ztmp, .yal, .sis, .wps, .sum, .flv, .csv, .odb, .ptx, .wmv, .0, .xlsx, .wn, .sr2, .xdb, .dwg, .ods, .xls, .bkp, .apk, .js, .xwp, .wpd, .mdbackup, .docx, .zabw, .cas, .itm, .snx, .hplg, .z, .wmo, .psk, .tor, .fsh, .7z, .w3x, .m2, .ntl, .avi, .zip, .ai, .bkf, .dba, .wpl, .m4a, .xxx, .p12, .dmp, .rofl, .wp5, .pst, .xf, .pptm, .wbmp, .wma, .xml, .ws, .pkpass, .pdf, .bc7, .bsa, .rgss3a, .forge, .zdc, .indd, .blob, .zi, .z3d, .svg, .r3d, .3ds, .pdd, .psd, .lbf, .mcmeta, .crt, .p7b, .odc, .wsc, .crw, .dng, .odp, .txt, .pfx, .orf, .qdf, .xy3, .jpeg
When a file is encrypted, ‘.id-USERID.[EMAIL-ADDRESS].bmtf’ is added at the end of its name, that is, if you had a file of ‘document.docx’, then a file with the name ‘document.docx.id-USERID.[EMAIL-ADDRESS].bmtf’ will appear in its place. If you change the file name, just delete the added extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
Perhaps you found on your computer or its desktop a new file called ‘FILES ENCRYPTED.txt’, which for some reason is not encrypted. An example of such a file is given below.
This file is very important, in addition to containing a ransom demand, it also contains information that allows you to contact intruders. According to the message, the victim is invited to contact the attackers using the given email address. In response, the authors of the virus will give a Bitcoin address to which the ransom must be transferred. Of course, you should understand that there is no guarantee that the attackers, after receiving the ransom, will provide you with the key necessary to decrypt your files. In addition, by paying the ransom, you will push attackers to create a new ransomware.
The contents of the FILES ENCRYPTED.txt file:
all your data has been locked us
You want to return?
write email email@example.com or firstname.lastname@example.org
|Name||Bmtf ransomware, Bmtf file virus|
|Type||Filecoder, File locker, Crypto virus, Ransomware, Crypto malware|
|Encrypted files extension||.[email@example.com].bmtf|
|Ransom note||FILES ENCRYPTED.txt|
|Ransom amount||$500-$1500 in Bitcoins|
|Detection Names||Trojan/Win32.Crysis.R213980, Trojan.Ransom.Crysis.E, Win32:RansomX-gen [Ransom], AI:Packer.D3B9457E1E, W32.RansomeDNZ.Trojan, TrojWare.Win32.Crysis.D@6sd9xy, W32/Wadhrama.B, Win32.Trojan-Ransom.VirusEncoder.A, Trojan-Ransom.Win32.Crusis.To, Ransom:Win32/Wadhrama|
|Symptoms||Encrypted personal files. Your photos, documents and music now have different extensions that end with something like .locked, .crypted or .cryptor. Files named such as ‘FILES ENCRYPTED.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. Your desktop is locked with a message about How to pay to unlock your system.|
|Distribution methods||Phishing emails that look like they come from a reliable source. Exploit kits (cybercriminals use ransomware packaged in an ‘exploit kit’ that can find a vulnerability in MS Windows OS, Browser, Adobe Flash Player, PDF reader). Social media posts (they can be used to trick users to download malicious software with a built-in ransomware downloader or click a malicious link). Cybercriminals use suspicious ads to distribute malware with no user interaction required.|
|Removal||Bmtf ransomware removal guide|
|Decryption||Bmtf file recovery guide|
The full text of the message that appears in the Bmtf popup window:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email firstname.lastname@example.org YOUR ID XXXXXXX
If you have not been answered via the link within 12 hours, write to us by e-mail:email@example.com
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
As we have already said, Bmtf is not the first ransomware belonging to the Crysis/Dharma family. The fact that to date, antivirus companies have not created a way to decrypt files, and just have not found a 100% way to protect the user’s computers, indicates the complexity of the ransomware and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to detect and remove Bmtf ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Bmtf ransomware, Restore .[firstname.lastname@example.org].bmtf files
If your files have been encrypted with ‘.[email@example.com].bmtf’ extension, then first of all you need to remove Bmtf ransomware and be 100% sure that there is no active ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove Bmtf ransomware
- How to decrypt .bmtf files
- How to restore .bmtf files
- How to protect your computer from Bmtf ransomware
How to remove Bmtf ransomware
First you need to remove the Bmtf ransomware autostart entries before decrypting and recovering encrypted files. Another option is to perform a full scan of the computer using antivirus software capable of detecting and removing ransomware infection.
It is very important to scan the computer for malware, as security researchers found that spyware could be installed on the infected computer along with the Bmtf ransomware. Spyware is a very dangerous security threat as it is designed to steal the user’s personal information such as passwords, logins, contact details, etc. If you have any difficulty removing Bmtf ransomware, then let us know in the comments, we will try to help you.
To remove Bmtf ransomware, use the steps listed below:
Kill Bmtf ransomware
Press CTRL, ALT, DEL keys together.
Click Task Manager. Select the “Processes” tab, look for something suspicious that is the Bmtf ransomware then right-click it and select “End Task” or “End Process” option.
A process is particularly suspicious: it is taking up a lot of memory (despite the fact that you closed all of your programs, its name is not familiar to you (if you are in doubt, you can always check the program by doing a search for its name in Google, Yahoo or Bing).
Disable Bmtf ransomware Start-Up
Select the “Start-Up” tab, look for something similar to the one shown in the example below, right click to it and select Disable.
Close Task Manager.
Scan computer for malware
Zemana Anti-Malware (ZAM) is a malware scanner that is very useful for detecting and uninstalling Bmtf ransomware virus. The steps below will explain how to download, install, and use Zemana Anti-Malware to scan your personal computer and remove ransomware, malicious software, worms, adware, trojans, spyware for free.
Zemana Anti Malware can be downloaded from the following link. Save it to your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is finished, close all windows on your machine. Further, open the setup file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up like below, click the “Yes” button.
It will display the “Setup wizard” that will help you install Zemana on the PC system. Follow the prompts and do not make any changes to default settings.
Once setup is complete successfully, Zemana Anti Malware (ZAM) will automatically start and you can see its main window as shown on the image below.
Next, press the “Scan” button for checking your personal computer for the Bmtf ransomware virus related folders,files and registry keys. Depending on your PC system, the scan may take anywhere from a few minutes to close to an hour. During the scan Zemana Anti Malware will detect threats present on your computer.
After finished, Zemana Anti-Malware (ZAM) will open a list of found threats. All found items will be marked. You can remove them all by simply click “Next” button.
The Zemana will start to remove the Bmtf crypto virus related folders,files and registry keys. Once the process is finished, you can be prompted to restart your system.
In order to be 100% sure that the computer no longer has the Bmtf crypto malware, we recommend using the Kaspersky virus removal tool (KVRT). This tool, as its name suggests, is designed by the Kaspersky lab and uses the core of the Kaspersky Antivirus. Unlike the Kaspersky Antivirus, KVRT has a smaller size and, most importantly, it can work together with an already installed anti-virus. This tool has great capabilities and therefore we suggest using KVRT in the last turn to be sure that the Bmtf crypto malware has been removed.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to detect Bmtf ransomware virus and other known infections. A system scan can take anywhere from 5 to 30 minutes, depending on your computer.
When finished, you will be displayed the list of all detected items on your personal computer as displayed in the following example.
Make sure to check mark the threats which are unsafe and then press on Continue to start a cleaning procedure.
How to decrypt .bmtf files
All files with the ‘.[firstname.lastname@example.org].bmtf’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. Unfortunately, as we already reported in this article, there is currently no way to decrypt files. The reason for this is the complexity of the encryption algorithm that the authors of Bmtf virus use. In principle, this is what the attackers sought. But this does not mean that you have no choice and you need to pay a ransom for your files.
Never pay the ransom! Every security expert will tell you this over and over. Of course, there is a chance that by paying a ransom, Bmtf virus authors will allow you to unlock your files, but there is no guarantee. Moreover, you should understand that when you pay a ransom, you unknowingly push the attackers to create new, even more destructive viruses.
Do not forget that besides you, thousands more people around the world have lost their files, that is, you are not alone. Antivirus companies, security experts are working on something that will allow you to decrypt .[email@example.com].bmtf files. Perhaps in the future an universal method will be developed that will allow all victims to unlock all their data.
Of course, as soon as a way to decrypt the files appears, we will post a message about this to this article or to our facebook account. Therefore, we recommend that you follow the updates.
How to restore .bmtf files
As we wrote above, you cannot decrypt files encrypted with Bmtf ransomware. But you can use a different way, there is a small chance to restore .[firstname.lastname@example.org].bmtf files without decrypting them. Programs created for searching and recovering lost and deleted data can help you with this. We recommend you to use the following free programs: PhotoRec and ShadowExplorer. Two more things we want to say about. First, before restoring files, you must be 100% sure that there is no ransomware on the computer. We recommend using free malware removal tools that we examined in this article. Second, and what is very important! The less you use your computer after ransomware infection, the higher the chance that you will be able to recover encrypted files.
Restore .bmtf files with ShadowExplorer
First of all, try to recover your files using a free tool called ShadowExplorer. This program will allow you to recover your files from Shadow Volume Copies. These copies are created automatically by the OS when you work with your files. Unfortunately, very often, the virus automatically deletes all these copies and thus prevents the user from recovering encrypted files. Nevertheless, in some cases, the ransomware cannot delete all copies, and the user gets the opportunity to quickly restore all files. Therefore, our opinion, you should definitely try this method!
Visit the page linked below to download the latest version of ShadowExplorer for Microsoft Windows. Save it on your Desktop.
Category: Security tools
Update: September 15, 2019
Once the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Double click ShadowExplorerPortable to run it. You will see the a window as on the image below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as on the image below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Recover .bmtf files with PhotoRec
Another really working way to recover your encrypted files is to use a program named PhotoRec. It is created to recover deleted or lost files. Does the Bmtf ransomware block this method? Fortunately, the ransomware cannot block this method of recovering the contents of encrypted files. The more you used (moved, deleted, modified) files before infection, the greater the chance that you will be able to recover them.
Download PhotoRec by clicking on the following link.
Category: Security tools
Update: March 1, 2018
After the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen as shown on the image below.
Choose a drive to recover as shown on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as shown in the following example.
Press File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored personal files should be written, then click Search. We strongly recommend that you save the recovered files to an external drive.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents like below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your computer from Bmtf ransomware
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro Alert can be downloaded from the following link. Save it to your Desktop.
Category: Security tools
Update: March 6, 2019
After the download is done, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the tool is launched, you’ll be shown a window where you can select a level of protection, such as the one below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of the Bmtf ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to recover .[email@example.com].bmtf files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Bmtf related issues, go to here.