Identify & Remove .BAGAJAI Ransomware (MedusaLocker3)
▼ Summary
– The user’s web server has been infected with ransomware that encrypted all files and added a .BAGAJAI extension, including backups.
– Ransomware identification attempts through Stop Ransomware and ID Ransomware sites failed to identify the specific malware variant.
– The ransom note provides a personal ID and demands contact via TOR page or email addresses recovery1@amniyat.xyz and recovery1@salamati.vip.
– Anti-malware scans detected malicious files including chisel.exe in the Windows temp folder and multiple Mimikatz-related trojans in a disabled user profile.
– The user has limited budget for recovery and is seeking assistance after exhausting initial troubleshooting steps with no solution.
Finding yourself locked out of critical data by the .BAGAJAI ransomware, a variant of MedusaLocker3, presents a serious and stressful situation, particularly for small business owners operating on tight budgets. This malicious software systematically encrypts files across a system, appending the .BAGAJAI extension and leaving behind a ransom note, typically named something like “readtodecrypt_files.html.” The attackers demand payment, usually in cryptocurrency, in exchange for a decryption key.
Victims often discover that their backups have also been encrypted, which severely limits recovery options. In the case described, submitting samples to platforms like ID Ransomware and the No More Ransom project yielded no identification or free decryption tools, indicating this might be a new or less common variant. The ransom note provides a unique personal identifier and instructs contact via a Tor site or specific email addresses, such as recovery1@amniyat.xyz and recovery1@salamati.vip.
Security scans can sometimes uncover the infection’s remnants. In this instance, Emsisoft Anti-Malware detected a suspicious file, “chisel.exe,” in the Windows Temp directory, flagged as “Gen:Variant.Bulz.236620.” More significantly, a treasure trove of malicious executables was found within a long-disabled user profile. These files, located in directories like “Documents” and “Music,” included detections for multiple Mimikatz-related trojans and other generic malware, suggesting the attacker used credential dumping tools to gain deeper access.
The presence of files such as “BAGAJAI.exe,” “dump.bat,” and various Mimikatz components (“mimikatz.dll,” “mimilib.dll”) points to a sophisticated attack where the intruder likely harvested system credentials to move laterally and deploy the ransomware. The discovery of Mimikatz components is particularly alarming as this tool is widely used by attackers to extract passwords and escalate privileges on a compromised network.
For anyone facing this threat, the immediate steps involve complete isolation of the infected system from the network to prevent further spread. You should never pay the ransom, as this funds criminal activity and does not guarantee you will get your files back. Instead, focus on identifying a clean, offline backup from which to restore your data. If no clean backup exists, consulting a professional incident response team is the most reliable course of action. They can help analyze the breach, ensure the attacker is fully removed from the environment, and assist with the recovery process.
(Source: Bleeping Computer)
