Ransom notes known as _readme.txt would equally be forwarded to all the folders contained in the computer. It is a convenient method used by cybercriminals to inform the computer user knows about the attack and how they used very strong encryption keys to make their files unreadable. Therefore, they’re left with no choice but to pay the requested ransom fees in order to be given a decryption tool produced by the cybercriminals.

Additional details you need to know about the ransom note

A bold headline summarizing the attack and what is at stake would be attached to the _readme.txt ransom note. More details would be provided under the headline with emphasis on how BYYA ransomware was successful in encrypting all documents, photos, videos, and every other data that was stored in the computer. It will also warn the victim not to think of any other alternative aside from the one they’re offering since they had used a very strong and unique key in encrypting the files; therefore, they also have the exclusive ability to reverse the entire process. However, that could only be done after the ransom fee has been paid, which would enable them to send the decryption tool/software across to the victim. They would also state that their demand is not negotiable, and if for any reason the victim couldn’t respond accordingly, the entire encrypted files would become permanently irretrievable. To open a communication channel, the cybercriminals would also drop two email addresses namely: manager@time2mail.ch and supportsys@airmail.cc. However, the emails are not for negotiation purposes as there is no room for that but to serve as a medium through which they would send across their demands to the victim. To assure the victim of their level of expertise, they may even inform them to send across excerpts of the encrypted files for possible test decryption but would also point out that such must not contain valuable information. The cybercriminals would also announce that ransom fee of $980 would have to be paid but if the victim is willing to comply within 72 hours of being informed, they would be allowed to pay only half of the ransom fee, which is $490. However, there are other conditions the victim is also expected to comply with, such as being mandated to make payment using BTC or any other popular cryptocurrency and sending it to a wallet address of their choice. The major reason why they usually demand payment through cryptocurrency is to remain anonymous and preempt any chance of arrest by law enforcement agents. Here is an example of a _readme.txt ransom note typically dropped by cybercriminals. Cybersecurity experts, including the FBI, have made it clear that ransom shouldn’t be paid to cybercriminals no matter the threats. Firstly, paying ransom is absolutely against the law, it enriches cybercriminals and encourages them to perpetrate more crimes, yet there is no guarantee that encrypted files would be retrieved even after paying huge sums of money as ransom. Also note that when victims comply with ransom demands, they would be making themselves vulnerable to future extortions.

Secondary challenges victims contend with following a ransomware attack

Aside the encryption that occur during STOP/DJVU ransomware attack, there are other risk factors associated with it, including other types of malware and Trojans. The most common ones are VIDAR and AZORULT and can also be as catastrophic as the primary malware. Cybercriminals often use them to steal vital personal information such as banking details, crypocurrency wallets, and passwords among other sensitive data and being in possession of them can result in more losses to the victim. It is due to these issues that make it very necessary for victims to remove BYYA ransomware virus as soon as they can once it is detected in their computer. The appropriate method computer users should use when removing them is through Safe Mode with Networking. This option should be selected once a computer is powered on and afterwards, genuine antivirus software should be activated and maintained accordingly. Also, you can make use of RESTORO in salvaging damaged files wherever possible.

Ransomware Summary

REPAIR VIRUS DAMAGE This is a screenshot of files encrypted by the described ransomware variant.

Ingenious methods used by cybercriminals in distributing malware

Cybercriminals make use of diverse fraudulent methods in distributing malware to unsuspecting computer users. Such methods include phishing, malicious email attachments, use of “cracks” and fake activation keys, misleading ads etc. In addition to that, they also make use of online torrent platforms where high-in-demand pirated software versions are uploaded and used as baits to prey on their target victims. These pirated software contents and attachments are then embedded with a highly contagious malware that easily spreads to other computers once opened. Therefore, computer users are hereby advised not to visit such platforms and also to avoid opening emails and attachments from unrecognized sources. Some of these pirated software contents may seem attractive since they cost next to nothing to install, but they’re extremely dangerous and can lead to severe losses that far outweigh their benefit (if any). Instead of making use of them, computer users are better off getting the authentic versions from the original content producers or their authorized distributors. They also prefer using popular data formats like JavaScript, PDF and MS Word, among others, because they can be easily embedded with malware. Aside from using such popular file formats, they also use inciting business terms like Invoice, Tracking Number, and Pending Payment, etc., to name these malicious files. You should also be on the lookout for emails with spoofed addresses that are used in impersonating notable brands. Computer users that are careful enough may end up falling victim to these scams; therefore emails should be well scrutinized to ensure they’re from genuine sources before being opened. Nothing should be taken for granted and once something is out of place, it should be considered a red flag. Websites claiming to offer STOP/DJVU ransomware online key decryption services should be ignored because there is a high chance they’re being used to further spread other types of ransomware or for extortion purposes.

Remove BYYA Ransomware/Decrypt Infected Files

It is time to remove BYYA ransomware virus if you haven’t already. An infected computer should be set up in Safe Mode with Networking before any attempt is made toward activating and running a good antivirus on it. The use of RESTORO in repairing damaged files is also recommendable. Once the task of BYYA ransomware removal is accomplished, the following steps would need to be taken:

Inform relevant regulatory authorities.Make use of your backup device in restoring encrypted files.Research more on ways files encrypted by STOP/DJVU ransomware versions could be decrypted or repaired.Passwords used in the compromised computer should be changed right away.

OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove BYYA Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove BYYA Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt BYYA files

Fix and open large BYYA files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. BYYA Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt BYYA files, follow the given tutorial.

Meanings of decryptor’s messages

The BYYA decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your BYYA extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of BYYA Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.