I was recently called into a client because a Windows server had failed knocking one of their key websites off the internet. Attending site I had great difficulty accessing the server, and after much work (which I’ll detail below), I was confronted with a message like the above, and discovered all files stored on the server were encrypted with the .bip file extension, problems were made worse by the fact that all files within the Program Files folder were also encrypted.
A quick Google discovered that the Server had become infected with the .Bip Dharma Ransomware. Examining the backups the server made, because they were online backups, the Ransomware had reached out an begun encrypting the backups as well. Fortunately, much of the data was also stored offline, but these backups were some weeks old.
The server in question was acting as a Web and File Server for their office, and access to it was restricted by Active Directory, the files for which were within the Program Files folder, and were also encrypted. So the only way I could gain access to the server at all, was through use of the Active Directory Recovery Mode, which also restricted what could be done on the Server.
For example, while the server was in this mode, I was not allowed to remove the Active Directory access restrictions which were not allowing me to login as Administrator. However, it’s access did allow me enough access to be able to work on it.
How I dealt with the problem!
First of all I reached to Google, and to remove the Ransomware everyone seemed to recommend . . .
Which does indeed get rid of the Ransomware, and in fact what I downloaded and installed to ensure that no further harm was done.
However, Spyhunter when you download it, only Detects the problem, it will not remove it unless you pay for the subscription. There seems currently to be no better way of removing the .Bip Dharma Ransomware infection.
I ran this and cleansed the computer of the infection. However, all the files were still encrypted and useless.
Numerous sites recommend looking for deleted files, and trying various decryption programs. However, none of these worked on the variant that this server had become encrypted by, in fact none of them recognised the .bip file extension as being one connected with Ransomware at all.
I followed advice and scanned the computer for deleted files, hoping that when the ransomware encrypted and then deleted each file, that the original may have remained in a recoverable state, but this was all for naught.
With all the latest files remaining encrypted, and Windows not being operable with the contents of the Program Files folder being encrypted and unusable, we came to the decision to put the server back into use, with the existing backup files, but to store all of the encrypted files in case in the future decryption tools become available. So we took a backup of the server, formatted it, and restored the files from old backups. Configuring the system, with new passwords in case any of the data such as passwords had been sent to the author of the Ransomware while it was operating.
Recommended Plan to Deal with
.Bip Dharma Ransomware
1: Remove the Ransomware with Spyhunter or the like.
2: Backup all encrypted files for possible decryption in the future.
3: Format the machine completely, and set up from scratch using any pre-infection backups you have.
4: Change all passwords stored or used on that machine.
5: Backup, Backup, Backup!