Keone Software

The post describes and advises on handling a ransomware variant that adds .crypt to filenames and creates de_crypt_readme ransom payment instructions.

It’s startling what ideas can occur to cybercriminals with plenty of tech expertise and time on their hands. File encrypting ransomware is probably these ill-minded individuals’ worst-ever invention, given the consequences for the computer users who fall victim to these types of attacks. One’s personal files can no longer be accessed, and there is a pending demand of a ransom to recover the information. One of the recent samples is trying to impersonate other widespread crypto viruses as far as the look and feel are concerned, but it turned out to have been devised independently. The strain in question encrypts data with the RSA4096 algo, appends files with the .crypt component, and drops three editions of ransom notes: de_crypt_readme.html, de_crypt_readme.bmp, and de_crypt_readme.txt.

de_crypt_readme.html ransom notes edition

According to the reverse engineering analysis of obtained samples, this ransomware family is categorized as CryptXXX. At this point, the CryptXXX 2.0 edition of this Trojan is in the wild compromising Windows PCs. One of its distinguishing features is the use of the Angler exploit kit for distribution. This way, the extortionists have been depositing their infection onto computers by dint of hacked sites. The targeted web pages tend to be popular media-related portals for the most part, which means that a lot of users are at risk. When a person visits one of these covertly compromised places online, they get redirected to Angler EK’s landing page. The exploit kit then triggers a vulnerability check, finds security flaws in outdated software and uses those to inject the ransomware.

Courtesy of Kaspersky Lab, the first iteration of CryptXXX got cracked and users were able to recover their data with a specially crafted solution. The 2.0 version, though, isn’t possible to decrypt in this fashion, the victims getting an error that says “Encrypted file size does not equal to original”. Obviously, the black hats took the previous imperfections of their code into account and rolled out an update that keeps the decrypter from being efficient.

de_crypt_readme.bmp instructions added by .crypt file virus

As it has been mentioned, the files hit by this Trojan get the .crypt extension at the end. Just to demonstrate this, here’s an example: an image chamomile.jpg turns into chamomile.jpg.crypt. It’s a no go to edit the filename by eliminating the .crypt part – the file will stay just as inaccessible as before. In order to determine what data objects to encode, CryptXXX scans the host machine’s hard drive, removable drives and mapped network shares for a predefined range of formats. It looks for potentially most important items, including one’s pictures, text documents, spreadsheets, presentations, databases and hundreds of other entities.

CryptXXX Decrypt Service page

The above-mentioned de_crypt_readme.html (.bmp, .txt) ransom instructions tell the victim to purchase the private RSA4096 key in order to be able to decrypt the data. The price is set to 1.2 Bitcoins, or about 500 USD. This money is payable via a special Decrypt Service page protected by Tor (The Onion Router) anonymity network. The site displays a countdown clock indicating the amount of time left before the ransom doubles, and provides built-in payment options. Interestingly, the criminals call their recovery tool the “Google Decrypter”, which is evidently a lame attempt to add some trust to the attack.

All in all, the .crypt file extension ransomware assault is a bad turn of events. There is no decrypt software currently available, and submitting the ransom is an abominable thing. In a lot of the compromise incidents, however, users were reportedly able to retrieve their files using Shadow Explorer and professional recovery suites. So these techniques are certainly worth a try.

Automatic removal of .crypt virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .crypt files virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .crypt files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of CryptXXX virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download .crypt file virus scanner and remover

The post .crypt file extension virus: decrypt and remove de_crypt_readme ransomware appeared first on Keone Software.

Get up-to-date advice on restoring files encrypted by CryptXXX v3.x, the latest edition of the widespread ransom Trojan released with quite a few enhancements.

The crypto ransomware under consideration isn’t brand-new, but its authors appear to be continuously working on code improvements and have rolled out 3 updates over the course of a month. The recent variant has a number of critical changes under the hood, including more efficient implementation of the crypto and the wording of ransom notes. Once the plague has completed the data encoding part of its mission, it presents recovery instructions in the following files: !Recovery_[victim ID].txt, !Recovery_[victim ID].html and !Recovery_[victim ID].bmp. The string in brackets stands for the personal identifier that the virus allots to every infected user during the compromise. These documents will appear on the desktop and inside each folder with encrypted entities.

!Recovery_[victim ID].html ransom instructions

As before, CryptXXX 3.0 targets the same range of file formats on infected PCs. These include all sorts of Microsoft Office files, media objects, databases, PDFs and tens of other entities. To locate these, the ransomware recursively scans the local drives, removable devices and mapped network shares, comparing the encountered items’ extensions against as hard-coded list of format identifiers. When done finding the victim’s personal data, the Trojan leverages a strong combo of RSA-4096 and RC4 (Rivest Cipher 4) to encrypt all matches. Not only do these objects become inaccessible, but they also get the .cryp1 extension attached to the original full filenames.

CryptXXX 3.0 payment service

As opposed to the previous 2 versions, CryptXXX v3.0 cannot be cracked with Kaspersky RannohDecryptor. The ransomware developers tried so hard to prevent the tool from recovering data for free that they rendered their own paid decrypt solution non-functional. This bug has been reportedly fixed at the time of this writing. Enthusiasts and researchers from different security labs claim they can decrypt the file byte blocks enciphered with RC4, but RSA blocks aren’t recoverable without the private key.

The amount of money that CryptXXX v3.x distributors demand for recovery is in the range of 1.2 BTC, or approximately 500 USD. Victims can get 1 file decrypted for free. If the initial deadline for payment expires, the sum goes up two times. Considering the glitches that users have run into with the functionality of the criminals’ decryptor, paying is not an option, moreover, it’s a terrible idea from an ethical perspective. The use of Shadow Volume Copies and recovery suites instead is definitely a worthwhile thing for a start.

Automatic removal of CryptXXX 3.0 virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download CryptXXX v3.0 removal tool

Recover .cryp1 files ciphered by CryptXXX v3.0 the ransomware

Option 2: Recovery tools
The research of CryptXXX 3.0 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download CryptXXX v3.0 scanner and remover

The post CryptXXX v3.0 ransomware: .cryp1 file virus recovery appeared first on Keone Software.

The breaking news in the cyber world is the emergence of the new crypto virus developed 100% from JavaScript, which cloaks a huge risk of expansion.

The name of the computer program that shall be dissected in this post is quite verbose. It’s RAA ransomware. The associations that come to mind aren’t positive, to put it mildly; and it turns out that the first impression is accurate. This defiant denomination reflects the app’s genuine gist, which consists in extortion activity. The JavaScript based RAA ransomware parasite in question encrypts one’s personal files and asks for a payment to be sent so that the locked information can be recovered. The pest uses Advanced Encryption Standard (AES-256) to freeze 16 file types including documents, videos, audio content and pictures, which basically means that none of these can be restored via decoding techniques of any sort. The cost of this disgusting ‘service’ varies, but it’s around 0.39 Bitcoin most of the time.

Ransom note shown by RAA JavaScript ransomware

As it has already been mentioned, there are things about RAA ransomware that aren’t invariable. The size of the ransom depends on how insatiable the specific malicious distributor is when it comes to money. Here’s the thing: this infection is one of the few that are based on a ‘malware as a service’ model. What this means is pretty much any person can sign up with the respective affiliate platform by means of a secure Tor (.onion) page online. The easy-to-use dashboard allows the would-be criminal to configure their custom version of the ransomware by setting such parameters as the BTC amount to ask, the time of lockscreen appearance, the type of the message box and a few more. At the end of the day, the fraudster gets a fine-tuned build in a few keystrokes and clicks on the mouse.

RAA ransomware does not launch an executable if the phishing-backed contamination of a computer takes place. It tries to masquerade pretending to be a MS Word file. Upon a closer inspection, the above-mentioned file turns out to be a standard JS file, which denotes a framework allowing cross-platform software development. This fact should be taken very seriously, because the JavaScript code behind RAA ransomware can be changed so that Mac and Linux systems will also be vulnerable to the crypto attack.

Additionally, this virus delivers a password stealer called Pony that can do a lot of harm with unknown consequences.

Though no tools can decrypt files affected by the RAA JavaScript ransom Trojan, a few tips are worth putting into practice for the sake of recovery.

Automatic removal of the RAA JavaScript ransomware ransomware

1. Download and install the cleaning tool and click the Start Computer Scan button

Download RAA Ransomware removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the JavaScript ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files locked by RAA JavaScript ransomware ransomware

Option 1: Backups

The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools

The research of RAA JavaScript ransomware reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies

The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware can be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download RAA JavaScript Ransomware scanner and remover

The post RAA ransomware removal and decryptor appeared first on Keone Software.

Learn a viable workaround to recover .zepto files ransomed by a new variant of the Locky crypto virus, which is currently on the rise after a lengthy halt.

Discovering that most files on a computer suddenly got a .zepto extension is a frustrating scenario. Not only does this change denote an odd file display tweak, but it also means that the machine got hit by belligerent code engaging in extortion at its worst. The recent remake of Locky, a widespread ransom Trojan that used to terrify thousands of users and organizations, is the cyber threat to blame for such a mishap. The updated edition compromises PCs by means of phishing, where interesting-looking emails serve as baited traps. If the targeted person opens a rogue invoice or other file attached to one of these incoming messages, the deployment of the ransomware in the system is a matter of seconds. The loader adds a random-named executable to the AppData path, and the offending process commences the crypto part of the assault.

The ‘_[random number]_HELP_instructions.bmp’ image becomes the desktop background

The Zepto malware first scans the hard drive, plugged-in media such as memory sticks, and network shares for objects whose extensions indicate whether they are personal files or operating system components. The former type of data is subject to further encoding. The ransomware uses a compound crypto routine to lock the data for good. The Advanced Encryption Standard (AES) is the first tier of encryption. It produces a secret key with the size of 128 bits.

To raise the bar of recovery even more, the malicious program then employs the RSA-2048 cipher to encrypt the AES key. Filenames undergo a change as well and transform into long strings of numbers and characters with the .zepto part instead of the original extension. This tactic enables the threat actors to stipulate stringent conditions that the victim has to meet otherwise they run the risk of losing the information.

The new format of encrypted files

Locky expresses these conditions in files named according to the following format: “_[random number]_HELP_instructions.html” and “_[random number]_HELP_instructions.bmp”. The victim won’t fail to observe the BMP version as it becomes the new desktop wallpaper. The HTML counterpart, in its turn, is going to be inside all folders with encrypted files. Both of them say, “All of your files are encrypted with RSA-2048 and AES-128 ciphers”. To receive the unique private key, the infected user is told to visit one of several available Tor pages listed in these ransom notes. The person will eventually navigate to the “Locky Decryptor Page” containing the Bitcoin address, to which they are supposed to send about 0.5 BTC, which roughly equals to $300. While the uncomforting option of paying the ransom may seem to be the only way out, it’s not quite so. Several other techniques proved to work rather well for recovering data locked by Zepto and similar ransom Trojans.

Automatic removal of .zepto virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .zepto files virus removal tool

Recover .zepto files ciphered by the ransomware

Option 2: Recovery tools
The research of Zepto virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Zepto virus scanner and remover

The post Zepto virus ransomware: how to decrypt .zepto extension files appeared first on Keone Software.

Being hit by the RSA-4096 ransom Trojan isn’t that much of a jeopardy if the user efficiently gets rid of the infection and follows several recovery steps.

“Attention! Your files are encrypted.”

When confronted with a file encrypting ransomware sample, it may be difficult to tell the bluff from the truth. For example, a couple of widespread strains generate alerts about an alleged use of the RSA-4096 public-key cryptosystem to encipher their victims’ proprietary files, although this statement should not be taken for granted. These include TeslaCrypt and the more recent CryptXXX threats for the most part. Fortunately, there’s some good news regarding TeslaCrypt: the cybercrooks in charge of this campaign abandoned the malicious project in late May and released the master decryption key for all infected users to restore their frozen data without paying up. However, the above-mentioned CryptXXX appears to have inherited the nastiest characteristics of this now extinct virus.

RSA-4096 ransom instructions in HTML format

Getting back to the subject matter of this post, the allusion to RSA-4096 algorithm is more of an intimidation trick rather than the genuine state of things. According to the analysis of CryptXXX code done by security professionals who looked into the issue, this ransomware is more likely to use a combination of AES-256 and RSA-2048 to encrypt files. This, of course, doesn’t mean that the remediation is any easier, because this mix is uncrackable and the perpetrators have implemented the crypto flawlessly.

And yet, the digital threat in question does not indicate its name anywhere in the ransom notes that it creates to instruct users regarding file decryption, therefore people tend to identify and look up their problem by the RSA4096 term. By the way, the software that the cybercrooks promote for decrypting the data is dubbed “Microsoft decryptor”. The ransom instruction documents are titled “README.html”, “README.txt”, and “README.bmp”. CryptXXX drops them into every path with encrypted data. They read “Attention! Your files are encrypted”.

Files jumbled by the new edition of CryptXXX

This ransomware is promoted by means of an exploit kit known as Angler. For the attack to take place, the hackers need to make sure users are redirected to the exploit kit’s page. This happens in the event that the person visits a compromised website that has an obfuscated reroute script added to its code. Then, if there is an unpatched version of Java or Adobe Flash Player on the computer, the infection uses these vulnerabilities to directly inject the ransomware and execute it behind the scenes.

CryptXXX scours the infected PC and network shares for a range of file extensions that correspond to the most important user data. Subsequently, it encrypts all of these files, replaces the filenames with 32 hexadecimal characters and adds a random string like “.5DE82” in the tail. Since there is no way to open, edit or otherwise access these objects, the victim ends up studying the ransom instructions. More specifically, the full restoration of data is a matter of submitting $500, or 1.2 Bitcoin, during 100 hours since encryption. If the user exceeds this deadline, the size of the ransom will increase. Security labs and law enforcement agencies, including the FBI, advise that ransomware victims – both end users and companies – refrain from paying. Though the necessity to follow the criminals’ demands can be understandable in some cases, it’s strongly recommended to try alternative techniques first.

Automatic removal of RSA4096 virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download RSA-4096 virus removal tool

Recover files locked by the ransomware

Option 2: Recovery tools
The research of RSA-4096 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download RSA-4096 virus scanner and remover

The post RSA-4096 virus: decrypt files and remove ransomware appeared first on Keone Software.

Stay on top of the CTB Locker ransomware propagation vectors, learn what new features its latest version accommodates and how to restore encrypted files.

When it comes to moneymaking, cybercriminals have not contrived a more efficient instrument for this purpose than ransomware. Well, perhaps the only rivals are banking Trojans, but deploying those is a much riskier venture from the law enforcement perspective. The present-day online extortionists who create and distribute file encrypting programs like CTB Locker have become very good at thwarting attack attribution. Primarily, that’s because they use Tor (The Onion Router) as the main medium for data exchange between victims and C2 servers. Secondly, the ransoms are payable in Bitcoins only. Both of these systems ensure anonymity of transactions, which explains why cybercrooks behind the nastiest ransom Trojans have been on the loose for years.

CTB Locker warning screen looks fancy and menacing at the same time

CTB Locker, also referred to as Critroni, was one of the first strains that could be disseminated as Ransomware-as-a-Service (RaaS). What this means is different cyber gangs can buy its loader on some shady forums for 3000 USD, customize their build and spread it however they wish. The authors of the code proper get a share of ransoms submitted by victims afterward. It’s like an affiliate platform, only an illegal one.

Regardless of who exactly deposits CTB Locker on a PC, the symptoms are uniform. The payload drops the malicious executable into the Temp path, from which it will be launched every time Windows starts up. By the way, this is kind of a trick because most antiviruses are on the lookout for suspicious activity from entities located under Program Files and several other directories, not Temp. So it’s an AV evasion technique to some extent. Furthermore, the name of this executable tends to change with every new OS boot event.

A few seconds away from CTB Locker payment demands

When launched, the ransomware performs a hunt for valuable data, scanning all fixed drives, external physical ones and mapped network shares. When CTB Locker detects files that are most likely personal, such as .docx or .bmp items, it encrypts them using a cryptosystem called ‘elliptic curve cryptography’ (ECC). The files therefore cannot be opened or edited, plus the Trojan appends a new extension to each one. These used to be .ctbl or .ctb2 extensions, but recently the offending program started using random ones like .dmmkfrc.

To let the victim know what happened to the data and what to do next, the ransomware changes the desktop background to ‘AllFilesAreLocked[user_ID].bmp image, which says “Your personal files are encrypted by CTB Locker”. This screen also counts down the time left from the original 96 hours, after which the ransom of 0.2 Bitcoins will double. It also creates similar ransom instructions in TXT and HTML format: DecryptAllFiles[user_ID].txt and [random].html, respectively. The newest edition of the virus allows users to recover 5 files for free. Is it possible to get the rest of the data back without paying up to the malefactors? If there is an offsite backup, yes. Otherwise, it depends. In any case, it won’t hurt to try the methods below and see if they can be of help.

Automatic removal of CTB Locker virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download CTB Locker removal tool

Recover files ciphered by CTB Locker ransomware

Option 2: Recovery tools
The research of CTB Locker virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download CTB Locker scanner and remover

The post CTB Locker virus: decrypt files and remove ransomware appeared first on Keone Software.

This guide covers the process and aftermath of Cerber Ransomware Decryptor attack, which is a new edition of the newsmaking, widespread crypto infection.

Prior to last week, the ransom Trojan called Cerber had been a record-breaker in a way. Having emerged in early March 2016, it had operated in its original form and shape for more than four months, which is quite unusual in the world of crypto viruses most of which are updated frequently. This state of things has changed, though. The recent revamp of the offending code in question came out dramatic. The troublemaking program is now referred to as “Cerber Ransomware Decryptor”, which is the name indicated in the ransom notes. Furthermore, the previously used combo of recovery instruction documents titled # DECRYPT MY FILES #.html (.vbs, .txt) have been replaced with a single file named “HOW TO DECRYPT FILES.html”, a copy of which is dropped into every folder with ciphered items. It opens up via the default web browser on the infected system.

Cerber Ransomware Decryptor warning

On the one hand, this renders the user interaction part of the compromise simpler and more streamlined. On the other, though, this strain doesn’t appear to be that unique anymore. It used to literally speak to its victims by means of a script in the above-mentioned .vbs edition of the ransom notes. Now Cerber seems to be just one of the many file-encrypting threats out there, with no particular zest under the hood. And yet, it’s using the same powerful distribution channels that keep the infection rate high. Furthermore, the data encryption routine has yet to be cracked – security experts have been unsuccessful in doing it thus far.

As before, this crypto ransomware uses AES-256 algorithm to encode its victims’ data. A byproduct of this file scrambling is the appending of “.cerber” string to filenames, which follows the original extension. For example, the infection turns an entry named “vehicle.jpg” into “vehicle.jpg.cerber”. Of course, none of these objects can be accessed due to the flawless implementation of cryptography.

HOW TO DECRYPT FILES.html and encrypted .cerber files within one folder

The verbal filling of the Cerber Ransomware Decryptor recovery instructions (HOW TO DECRYPT FILES.html) has changed as well. Whereas the document still says, “Your documents, photos, databases and other important files have been encrypted”, it continues as follows, “To decrypt your files you need to buy the special software – Cerber Decryptor. All transactions should be performed via Bitcoin network only.” The message also emphasizes that “any attempts to get back your files with the third-party tools can be fatal for your encrypted files.”

The size of the ransom has become lower compared to the previous variant. While it used to amount to 1.24 Bitcoins, now it’s 0.4 Bitcoins, or about 240 USD. The 7-day deadline for submitting this money and subsequent increase of the ransom are no longer the case. This is still cold comfort, though. The infected users face a tough dilemma: to buy their personal data out by paying to the extortionists, or lose the information. However, there is one more option that’s definitely worth a shot. Read the part below and follow the instructions to implement the workaround.

Automatic removal of Cerber Ransomware Decryptor virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Cerber Ransomware Decryptor removal tool

Recover files ciphered by Cerber Ransomware Decryptor virus

Option 2: Recovery tools
The research of Cerber Ransomware Decryptor virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Cerber Ransomware Decryptor scanner and remover

The post Cerber Ransomware Decryptor: files recovery and virus removal tool appeared first on Keone Software.

The cybercrooks behind the Cerber ransomware have taken efforts to bolster their business, crafting an updated edition that appends the .cerber2 extension.

The newcomer to one of the most powerful ransomware campaigns inherits a lot of the same characteristics but also boasts quite a bit of uniqueness. The first striking difference is the “.cerber2” extension that replaced “.cerber” proper in the offending operational model. Secondly, the desktop wallpaper conveying the warning message after the attack is different, now mostly gray with numerous multi-color dots. Another enhancement has to do with the private crypto key, the size of which has increased two times up to 32 bytes. This particular tweak prevents researchers from breaking the encryption, although there hadn’t been much success in doing so with the previous variant anyway. The Cerber2 spinoff is distributed in the same ways, that is, through exploit kits and phishing. The latter vector is more widespread, though.

New desktop background design for Cerber2

Having made its way on board a Windows computer in a stealthy manner, this ransom Trojan starts with searching for data. The machine’s hard disk, connected devices and network shares undergo a through scanning, in the course of which the virus juxtaposes the victim’s files against a list of extensions that’s incorporated in its code. This way, the infection is able to detect personal data as opposed to system components that are critical for the OS to run smooth. Then, it generates the AES encryption key and uses it to encode all items found during the scan. As a result, not only will the files’ data structure become scrambled, but their names will alter as well. In addition to concatenating the .cerber2 extension, the ransomware also replaces filenames with random gibberish strings of characters.

Inaccessible .cerber2 files along with ransom notes

Then comes the phase where the Trojan straightforwardly tells the victim what happened and expresses its demands. To this end, it creates what’s called ransom notes, or documents with the entirety of recovery advice. Their names are the same as in the previous iteration: # DECRYPT MY FILES #.txt, # DECRYPT MY FILES #.html, and # DECRYPT MY FILES #.vbs. The text edition is opened with Notepad, the HTML one – with the default web browser, and the VBScript sample automatically plays an audio notification that says, “Your documents, photos, databases and other important files have been encrypted!”

Ultimately, the user is told to follow one of several Tor hyperlinks in order to visit their personal page named “Cerber Decryptor”. The page displays a timer that counts down 5 days, which is the period when a special price of the decryptor is valid. It amounts to 1.75 Bitcoin, or about $1000. Starting from day 6 onward, the price becomes 3.5 Bitcoin. Unfortunately, paying this ransom is the only viable way to obtain the decryption key at this point. Before giving up, though, it’s recommended to try a few tips and tricks that may work in some cases.

Automatic removal of Cerber2 virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .cerber2 files virus removal tool

Recover files ciphered by Cerber2 ransomware

Option 2: Recovery tools
The research of Cerber2 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Cerber2 ransomware scanner and remover

The post Cerber2 ransomware virus: decrypt .cerber2 extension files appeared first on Keone Software.

Cerber3, the latest variant of a widespread defiant ransomware that plays an audio warning message to its victims, has started using the .cerber3 extension.

The file-encrypting threat generically dubbed Cerber has been invariably offbeat since it emerged. Its makers pioneered in utilizing .vbs files to literally pronounce their ransom demands via the infested PC’s speakers. While this feature has been preserved in the newest version of this infection, there are several noteworthy differences. First of all, the newcomer appends the .cerber3 extension to one’s personal files and jumbles filenames beyond recognition. For example, it transforms the name of a random document to a bizarre entry similar to uM87p3n3x6.cerber3. The files that contain steps to reinstate these messed up objects have also been modified. Now their names are # HELP DECRYPT #.html, # HELP DECRYPT #.url, and # HELP DECRYPT #.txt. A victim won’t find it hard to locate these ransom notes – they are created on the desktop and within all directories with ciphered data.

Desktop wallpaper set by Cerber3 virus

Just like its forerunners, Cerber3 is being deposited on computer systems by means of contagious email attachments or exploit kits. In the former case, a user receives an email with catchy contents and an enclosed JS file in a ZIP archive. Once you open the attached document, the ransomware gets inside undetected. When an exploit kit is in play, vulnerabilities in software that’s out of date are harnessed to inject the malicious loader. Regardless of the installation mode, the Trojan’s activity on a PC goes a uniform route across all incidents. It starts by running a scan for personal files stored on the local and removable drives as well as mapped and unmapped network shares.

Ransom notes and encrypted .cerber3 files in a folder

The totality of data detected during the scan is subject to lightning-fast encoding. The Advanced Encryption Standard (AES) is the instrument that the perpetrators are banking on in this regard. This symmetric cryptosystem, if implemented the right way, is an insurmountable obstacle to recovery. Having completed the data encryption and filename scrambling part of its mission, Cerber3 generates a sinister audio alert, sets a new desktop background with some basic warning text, and drops the above-mentioned combo of # HELP DECRYPT # ransom instructions. From these documents, the victim will learn that they have to navigate to a Tor (The Onion Router) gateway. The Cerber Decryptor landing page provides the infected user with their personal restoration details, including the size of the ransom and the amount of time left before the fee will double. The original ransom valid during the first 5 days is 0.7154 BTC, or about $400. If the deadline condition isn’t met, it goes up to 1.4308 BTC.

Cerber3 ransomware attack is a tough-to-handle predicament. There is no free decryptor available for this strain. If paying up to the threat actors is an unacceptable option, be sure to try the tips below that reflect some potentially helpful forensic techniques.

Automatic removal of Cerber3 virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .cerber3 files virus removal tool

Recover files ciphered by Cerber3 ransomware

Option 2: Recovery tools
The research of Cerber3 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Cerber3 ransomware scanner and remover

The post Cerber3 ransomware removal: how to decrypt .cerber3 virus files appeared first on Keone Software.

Get viable methods to recover files encrypted by Fantom, a ransomware sample that displays a fake Windows update screen to conceal the data encryption process.

Operating system updates are occurrences that users take for granted as they are tasked with enhancing Windows stability and security. Cyber-threat actors, in their turn, have devised a way to take advantage of this inherent trust in order to arrive at their offending objectives. Having surfaced in late August, the strain of ransomware dubbed Fantom has had big success in contaminating computers on a large scale. The zest of this extortion campaign is all about masquerading the data encryption process as a critical OS update. As a result, the targeted people take their time and patiently wait for the routine to go all the way while their irreplaceable data is actually being scrambled with an unbreakable crypto algorithm.

Rogue Windows update screen by Fantom ransomware

According to extensive analysis of its code, the Fantom ransomware is based on EDA2, an open-source project originally intended as an educational initiative. This questionably benign contrivance by Turkish security enthusiast Utku Sen has already called forth serious security concerns, because ransomware distributors around the globe have been heavily harnessing it to craft real-world infections. The same applies to Fantom – it leverages the AES-128 cryptographic system to lock a victim’s personal files, concatenates the .fantom extension to each one, and then demands a ransom to restore the data. Flower.jpg.fantom is an example of what an arbitrary file will look like after being processed by the virus.

Fantom drops DECRYPT_YOUR_FILES.html ransom note

The fact that the Fantom executable pretends to be a critical Windows update and even bears some formal properties thereof is a problem, because security software running on the PC is less likely to identify it as malware. While the phony update progress is presented to the victim, the infection scours all data repositories for files with certain extensions that may indicate that they are important to the user. Fantom scans fixed drive volumes, removable drives such as memory sticks or other external hardware, and network shares. When the totality of personal entries have been found, the ransomware uses a previously generated 128-bit AES key to encode them. Unfortunately, this secret key is nowhere to be found on the machine itself – instead, it is stored on the cybercrooks’ C2 server.

Fantom ransomware warning screen

Then, the ransom Trojan enters the active user interaction phase. It creates a document named Decrypt_Your_Files.html inside every single folder with ciphered contents. This ransom note contains decryption instructions and provides the user’s unique ID key. According to the file, which is written in poor English, the victim needs to send their enclosed ID to fantomd12@yandex.ru or fantom12@techemail.com. The con artists will then respond with further steps regarding how much and in what way to pay the ransom. To prove that the decryption service actually works, the perpetrators offer free recovery of 2 small files.

To add insult to injury, Fantom ransomware also replaces the desktop wallpaper with a warning screen that says, “All files are encripted!!! [sic]” and provides the same email addresses as in Decrypt_Your_Files.html file. The numerous spelling and grammar errors, however, don’t make this crypto infection any less sophisticated. Security researchers have not managed to create a free decryptor for this sample, consequently victims have to either pay the ransom or try a couple of alternate methods to get their data back.

Automatic removal of .fantom virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .fantom files virus removal tool

Recover .fantom files ciphered by the ransomware

Option 2: Recovery tools
The research of Fantom virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Fantom ransomware scanner and remover

The post Fantom ransomware removal: how to decrypt .fantom files virus appeared first on Keone Software.

This write-up provides an extensive analysis of the Odin ransomware, including details about its encryption routine and ways to restore .odin files.

Imagine a mishap where some unknown entity denies access to all valuable files on one’s Windows computer all of a sudden. Looking into the issue for a minute or two reveals that the impact is selective as it only applies to personal data and keeps system executables intact. Furthermore, no hardware failure is in place. The only thing that causes this sort of damage is crypto ransomware such as Locky that is now changing the file extensions to .odin.

This sample attacks a PC over a spam email attachment, finds the victim’s sensitive files, encrypts them with RSA and AES algorithms, and then demands about 300 USD (may vary) paid in Bitcoins for the unencrypt job. The byproduct of this process is the concatenation of the .odin string at the end of the filenames. This infection targets about a hundred different file types, which it locates inside a contaminated computer based on their extensions. As a result, most of the important data ends up completely scrambled.

Folder with inaccessible .odin files

The .odin file virus has a far-reaching adverse effect in terms of the attack surface. Not only does it affect data stored on the local hard drive, but it also looks for proprietary information on mapped network shares, cloud drives and removable media. The cryptosystem it uses is an asymmetric cipher with a public-private key pair being generated for every victim. Recovery is, therefore, a function of the availability of the private decryption key. The hurdle here is that this chunk of data resides outside of the plagued PC, so retrieving it is only doable via interacting with the extortionists who run the secret server with the database of keys. This ‘victim – attacker’ communication is indirect, where the user gets decryption instructions in documents named _HOWDO_text.html and _HOWDO_text.bmp.

Inside the Locky ransom messages are weblinks to a site called the Locky Decryptor Page. This page includes details on the quantity of Bitcoins to submit as a ransom, tips on how to buy the Bitcoins, and the Bitcoin address you must forward the payment to. As soon as a target transmits the payment to the designated Bitcoin address, this website will provide an automatic decrypter which can supposedly be leveraged to decrypt the locked files.

However, this is playing with fire, so it’s recommended to get busy trying alternative recovery measures once the breach takes place. The best-case recovery scenario is to have an offsite backup from which the unmodified data can be safely downloaded. If it’s available, make sure the ransomware code proper is completely wiped off the hard drive. Otherwise, the use of Shadow Copies and special recovery tools is worthwhile.

Automatic removal of .odin file virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .odin files virus removal tool

Recover .odin files ciphered by Locky ransomware

Option 2: Recovery tools
The research of the Locky virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download .odin virus scanner and remover

The post Remove ODIN virus ransomware – decrypt .odin files appeared first on Keone Software.

Learn how to minimize the risk when infected with the .crypted file extension virus and what can be done to restore the encrypted data beyond the ransom route.

Whereas the family of crypto lockers called Nemucod doesn’t exhibit any offbeat or particularly high-profile characteristics, the danger emanating from it should not be underestimated. The principal attribute that makes a random piece of ransomware successful is the correctness of implementing the cryptographic part of its modus operandi. The .crypted file extension variant of Nemucod is immaculate in this context. It efficiently leverages the RSA-1024 algorithm to prevent contaminated users from accessing their personal files. Under the circumstances, the only way to unscramble the data is to get hold of the private RSA key. The threat actors who own this key offer the victims to purchase it for 0.39 Bitcoins, which is equivalent to 240 USD at the time of writing. Consequently, a targeted person has to somehow deal with a bevy of inaccessible files with the .crypted string following the original filename and extension.

Folder with inaccessible .crypted files

Speaking of the contamination process, it is trivial by its essence but has a considerable conversion rate. The entities to look out for are files attached to spam. Cybercrooks engaging in online extortion contrive ways to generate big email volumes, where the messages are rogue payroll reports, invoices, traffic violation notifications, curriculum vitae documents or similar. As soon as an unsuspecting recipient double-clicks on the attachment, the execution of .crypted virus on the computer is a matter of seconds. The infection then traverses the local, removable and network-based drives in order to find the most popular types of data. Once it has the list, the crypto workflow takes effect. The structure of every such file is subject to disarrangement through cryptography, with complete inaccessibility being the ultimate objective.

Decrypt.txt ransom manual

The step-by-step recovery tutorial provided by the perpetrators appears on the PC’s desktop as well as individual folders that contain one or more encoded files in them. This document is titled DECRYPT.txt. It opens up with Notepad and first conveys the following warning message, “All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.39983 BTC.” In a nutshell, the victim needs to create a Bitcoin wallet, buy the right amount of cryptocurrency, send it to a particular Bitcoin address, open a page that hosts the decryptor, and run the tool to restore the data. Interestingly, the decrypt pages are regular websites rather than Tor gateways, unlike most ransomware samples at large. According to the ransom note, the user must submit the digital cash during three days otherwise the private key will supposedly be deleted from the Command and Control server.

Fortunately, there are restoration methods that do not counter the extremely strong encryption standard. Instead, they revolve around the use of data recovery software or Shadow Volume Copies, file backups made by the operating system.

Automatic removal of .crypted file virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .crypted files virus removal tool

Recover .crypted files ciphered by Nemucod ransomware

Option 2: Recovery tools
The research of the Nemucod virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download .crypted file ransomware scanner and remover

The post .crypted file virus decryption and removal tool appeared first on Keone Software.

The fourth generation of the Cerber ransomware is underway, dropping the Readme.hta ransom note and appending random extensions to one’s encrypted files.

The lineage of the highly dangerous Cerber ransom Trojan has been recently replenished with a new sample. The fresh spinoff has much in common with the other baddies that used to represent this family. In the meanwhile, it also exhibits unique characteristics that allow researchers to flag it as a standalone ransomware edition. These out-and-outer traits that have the biggest value analysis-wise include a different take on file format contortion, as well as the new way this infection now instructs its victims on recovery. As opposed to the formerly used uniform “.cerber3” extension, this iteration has come to concatenate a victim-specific random set of four hexadecimal characters to every data object that underwent enciphering. Therefore, a victim may see something like utTNNgp574.96b3 instead of an arbitrary personal file.

Readme.hta and ciphered files are straightforward indicators of compromise

It’s unclear why this additional layer of randomization has been introduced in the latest variant, but it has become the inalienable property of the Cerber ransomware virus. The filename muddling effect, by the way, is identical to the way the predecessor would handle hostage files: the Trojan replaces the initial values with a gibberish 10-character string. This wouldn’t pose much of a problem if it weren’t for the fact that each entry is also encrypted. So, editing filenames, which seems like a no-brainer, is also a no-go as far as data restoration is concerned. Cerber v4 leverages an unbreakable crypto routine to scrambling one’s files. Although the Advanced Encryption Standard (AES) is considered to be weaker than the asymmetric RSA algorithm, it is still virtually impossible to crack as long as it’s implemented the right way.

Recovery steps listed on the desktop

Another new feature that surfaced in the current version of Cerber is the principle of providing the walkthrough to decrypt files. The ransom manual is no longer a combo of three documents in different formats. Instead, it’s a single file called Readme.hta. Because this is, in essence, an HTML application, it delivers some degree of user interaction. For instance, an infected person can now select their native language inside the interface. The rest of the instructions have hardly changed. The extortionists still upsell a tool named “Cerber Decryptor” via a secure Tor page. Therefore, victims are told to install the Tor Browser Bundle and visit their personal page – a choice of three corresponding URLs is provided in Readme.hta pane.

The Cerber Decryptor page displays down-to-earth details on data reviving options. The original ransom amount to submit is 1 Bitcoin, or about 600 USD. That’s a “special price” valid for five days since the encryption event. After the deadline, the ransom doubles and thus reaches 2 Bitcoin. For the user to keep track of the time left, the page contains a graphical countdown component. All in all, this is still a nearly immaculate compromise that’s hard to tackle after the fact. Fortunately, there are several applicable methods to unencrypt the locked random extension files. Keep reading this post to learn more.

Automatic removal of the Readme.hta (Cerber) virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Readme.hta virus removal tool

Recover files ciphered by the Readme.hta ransomware

Option 2: Recovery tools
The research of Cerber virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Readme.hta virus ransomware scanner and remover

The post Readme.hta virus: decrypt Cerber 4.0 ransomware version appeared first on Keone Software.

The .thor extension denotes files encrypted by a new variant of Locky ransomware, which now creates _WHAT_is.html/.bmp ransom notes and demands 0.5 Bitcoins.

What is .THOR file virus?

The nuts and bolts of the illegal ransomware business is to distribute a Trojan that encrypts one’s personal data and then demand cryptocurrency for decryption. There are numerous families of these infections prowling the Internet. The Locky breed is currently somewhere on the apex of the digital extortion food chain. It has spawned five different versions since February 2016. The one dubbed Thor is the latest iteration, having emerged in late October and rapidly picking up the pace over the last few days. This edition got its name from the .thor extension that it affixes to the targeted files. Like its antecedent, it also drastically changes filenames, that is, the values that precede the extensions. Ultimately, Thor will turn a victim’s regular document, image, video or database into something like SU7DRHCB-EG3N-Y5GZ-00F1-6E1D0931FA25.thor.

_WHAT_is.html ransom note and desktop wallpaper changed by Thor virus

Recovery manuals tend to change with every new version of Locky. Its new sockpuppet creates several editions of the ransom notes, namely _WHAT_is.html, _WHAT_is.bmp, and _[random_number]_WHAT_is.html (e.g. _71_WHAT_is.html). The first two will appear on the desktop, and the one with a numeric value in its name is added to individual folders. The essentials of these instructions include the warning proper, according to which the user’s files are encrypted with RSA-2048 and AES-128 ciphers. Unfortunately, this is a truthful statement, therefore brute-forcing of the private keys is not a very realistic undertaking. Furthermore, the victim gets a couple of .tor2web.org and .onion.to links that resolve the Locky Decryptor page. Be advised these are only accessible via Tor Browser that ensures anonymization of online connections.

Locky Decryptor page with ransom payment tips

The aforementioned personal page is intended to streamline the process of paying the ransom. The bad guys leverage it to upsell a tool called the Locky Decryptor, where the price may vary but usually won’t exceed 0.5 Bitcoins. The use of digital cash is another anonymization component of the extortion routine that keeps the criminals from being tracked down and busted.

The circulation of the Thor ransomware in the wild is not as technically sophisticated as one might imagine. Rather than employ complex hacking techniques, the threat actors rely on social engineering and thus exploit human vulnerabilities, so to speak. It turns out, this vector has a high rate of successful malware installations. The spreading framework engages a massive phishing campaign. The targeted users receive legit-looking emails camouflaged as receipts, invoices, delivery reports and the like. Once a user double-clicks on the attached file, a covert VBS or JS script will download the Thor virus to the machine. The rest of the attack is mostly a matter of a series of obfuscated events that the victim isn’t likely to thwart. The Trojan scans the computer and the network for personal files, encrypts them and starts alerting the user via its ransom notes.

Although none of the Locky versions has been decryptable for free, and Thor is no exception, there is a glimmer of hope that users can get their files back. Use the self-help sections below to see if you can restore .thor files without paying up.

Automatic removal of the .thor virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .thor files virus removal tool

Recover .thor files ciphered by the ransomware

Option 2: Recovery tools
The research of Thor (Locky) virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Thor ransomware scanner and remover

The post .THOR file virus ransomware decryptor and removal appeared first on Keone Software.

Files with .zzzzz extension are inaccessible because they are encrypted by the latest version of the Locky ransomware, which requests Bitcoins for decryption.

What is .zzzzz file ransomware?

It’s difficult to question the usefulness of cryptography. It has numerous benign applications in the realm of safeguarding sensitive data. The evolution of malicious software, however, caused this conventional state of things to turn upside down. When the scourge of ransomware emerged on the computer threats arena, it became obvious that the inherent strength of cryptographic algorithms had the evil potential to wreak havoc with users’ proprietary files rather than protect them. One of the data-encrypting hoaxes called Locky has become a buzzword that denotes an uncrackable ransomware on steroids. This family tends to continuously mutate, with distinct tweaks being made to its code and activity patterns every so often. In the course of the most recent update, Locky has assumed the form of a crypto infection that adds the .zzzzz extension to one’s files and drops the -INSTRUCTION.html and -INSTRUCTION.bmp ransom notes.

Multiple .zzzzz files and -INSTRUCTION.html ransom notes

The way the Locky/zzzzz ransomware infiltrates computers isn’t a matter of reinventing the wheel. Its operators are really good at social engineering, so they opt for a payload distribution tactic that relies entirely on human curiosity and gullibility. The carrier of the contagion is spam that delivers a ZIP archive with a malicious JavaScript file inside. The bad guys may disguise this attachment as a spam mailout log detailing the alleged offending activity from the recipient’s email account. There are other themes of these tricky messages, including bogus local company representation offers, CVs, receipts, invoices, paychecks and the like. A standalone campaign is being currently conducted via Facebook, where users receive a malware-tainted .svg photo that downloads the crypto baddie when opened.

The Zzzzz ransomware still redirects victims to invariable Locky Decryptor page

The Zzzzz virus literally fleets across a computer once the compromise has taken place. It scans the hard drive, removable media and all cloud drives for hundreds of data formats in order to locate the entries that matter to the victim the most. All files that match the ransomware’s built-in whitelist of targeted extensions then become crippled through the use of two different cryptosystems. The virus utilizes the RSA-2048 and AES-128 standards to make it impossible for the user to open, edit or otherwise process their personal files. On the outside, the changes are drastic as well: filenames get substituted with weird-looking lines of 32 hexadecimal chars suffixed by .zzzzz.

The ransomware creates the aforementioned -INSTRUCTION.html and -INSTRUCTION.bmp files on the desktop to tell the victim what they must do to decrypt their information. Additionally, a document named _[random_digits]-INSTRUCTION.html will be dropped into encrypted folders. According to these manuals, the user is supposed to download and install the Tor Browser bundle, copy and paste their personal recovery link into this anonymous web navigation client, and then follow the steps listed on the site called Locky Decryptor. In a nutshell, the buyout deal implies paying 0.5 Bitcoin to a specified cryptocurrency wallet and then downloading the automatic decryption software. No one can guarantee that the procedure will be as smooth as this, so think twice before submitting the money to the attackers. Try a few workarounds instead (see below). The applicable restoration methods revolve around forensic tools and file snapshots made by Windows earlier.

Automatic removal of the .zzzzz virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .zzzzz files virus removal tool

Recover .zzzzz files ciphered by the ransomware

Option 2: Recovery tools
The research of the Zzzzz virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download .ZZZZZ file ransomware scanner and remover

The post How to decrypt .zzzzz files virus: Locky/zzzzz ransomware appeared first on Keone Software.

Although the authors of the new Osiris ransomware sell their decryptor to victims for Bitcoins, it may be possible to restore .osiris files in a different way.

What is OSIRIS ransomware?

The lineage of the Locky ransomware derivatives has been supplemented with another sample lately. The currently active objectification of this uncrackable strain uses the .osiris extension to brand all encrypted files, hence the name of the edition. The new extension, though, is not the only change visible to the naked eye. The Osiris variant also leaves a different set of ransom notes. As opposed to the previous iteration, the ransomware now leverages one format for the data recovery manual. It creates help files called OSIRIS-[4_chars].htm, where the variable string is composed of random hexadecimal characters. Yet another evident alteration is the pattern of jumbled filenames, which now consist of 5 groups of characters separated by double hyphens.

Osiris ransomware attack is a scary predicament

Just like before, the Osiris file virus embeds a graphical edition of the ransom note into the victim’s preferred desktop wallpaper. The scary effect from this activity is intended to make the infected user scrutinize the decryption steps even if they don’t open the HTM ransom notes. According to the walkthrough, the recovery presupposes that the user installs Tor Browser and visits their personal Locky Decryptor Page. The use of this particular browser, rather than a regular one, makes the traffic anonymous and therefore keeps the attackers from being tracked down.

When on the Locky Decryptor Page, the victim will see a bunch of links to Internet resources that provide Bitcoin exchange services. By purchasing 0.5 BTC and sending the cryptocurrency to the adversary’s Bitcoin address, the user will supposedly be able to get the automatic decryption tool that’s claimed to reinstate all the .osiris files on the plagued computer.

Locky Decryptor Page design

The Osiris ransomware is spreading via a social engineering hoax. The threat actors in charge have launched a massive spam campaign disseminating contagious Excel documents to thousands of people around the globe. The spreadsheet attached to these emails is disguised as an invoice. If a user chooses to open this .xls file, what they will see is a blank document that generates a security warning. This notification says that macros have been disabled and recommends the user to click the “Enable Content” button. By hitting this button, the victim unwittingly activates a macro that downloads a DLL installer of the Osiris infection.

Unfortunately, the cryptographic side of Osiris is immaculate. Therefore, there is no way to circumvent the RSA-2048 and AES-128 algorithmic hurdle unless the private RSA key is added to the mix. This decryption key resides offsite, so the attacker is the only one who has it. Nevertheless, it may be possible to get .osiris files back by means of alternative recovery mechanisms.

Automatic removal of the Osiris virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .osiris file virus removal tool

Recover .osiris files ciphered by the ransomware

Option 2: Recovery tools
The research of the Osiris virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Osiris ransomware scanner and remover

The post OSIRIS virus: files decryption and ransomware removal appeared first on Keone Software.

A new 2016 version of the Cryptolocker virus is in rotation, leaving ‘Your files are locked !.txt’ ransom notes and providing email address for more instructions.

What is Cryptolocker virus?

The cybercriminals engaging in today’s most nefarious rip-off scheme don’t seem to stop coining spinoffs of Cryptolocker, one of the earliest samples of file-encrypting ransomware. Its reputation, obviously, encourages crooks to follow suit and even dub their perpetrating products the same way. The latest contrivance in the range of these copycats is a Cryptolocker variant that creates ransom notes called “Your files are locked !.txt”. This user interface of this sample also contains a couple of support emails, which may include suppteam03@india.com, suppteam03@yandex.com, suppcop@india.com, or suppcop@yandex.ru. The ransomware pane also features a ticking timer that indicates the deadline for paying the ransom so that the victim’s files can be decrypted. Interestingly, filenames do not change as a result of this attack.

New Cryptolocker ransomware window

Researchers have labeled this particular strain as PClock. It intimidates the infected users with a warning that reads

Your personal files encryption produced on this computer: photos, videos, documents, etc. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt your files you need to obtain the private key.

Unfortunately, this alert does reflect the actually state of things. The new Cryptolocker 2016 leverages a strong asymmetric cryptosystem that cannot be cracked unless a unique private key is at the victim’s disposal. This chunk of data resides on the criminals-controlled server. So the compromise is certainly a huge predicament that results in the inaccessibility of an infected users’ personal data.

Your files are locked !.txt ransom manual

Computer users reportedly discover that their files have become locked after they visit their usual sites, including social networks, anime web pages and other resources providing streaming content. This fact points to a drive-by vector of the attacks. Most of the time, the would-be victims get persistent popups from the page they are on. This is a way to masquerade the malicious payload as if it were some routine request that needs authorization. In some cases, though, the ransomware arrives with spam. The attachments, which are disguised a payrolls, receipts, complaints and the like, evoke natural curiosity of the recipients. Once opened, they execute the infection.

Again, the criminals in charge of the updated Cryptolocker 2016 implement the cryptographic part of their attacks professionally. Therefore, experts have not found any algorithmic flaws as of yet, which means that data decryption isn’t possible unless the user has the relevant RSA key. The ransom walkthroughs explicated in “Your files are locked !.txt” documents tell the victim to submit 0.55-0.85 Bitcoin to their wallet. Then, the user is supposed to send an email to one of the support addresses in the ransom notes (suppteam03@india.com, suppteam03@yandex.com, suppcop@india.com, or suppcop@yandex.ru) in order to get further directions from the threat actors. Rather than start with this method, though, it’s recommended to try alternative techniques first. See below for details.

Automatic removal of Cryptolocker (Your files are locked !.txt) virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Cryptolocker removal tool

Recover files ciphered by the Cryptolocker ransomware

Option 2: Recovery tools
The research of the Cryptolocker virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Cryptolocker virus scanner and remover

The post Decrypt Cryptolocker 2016 virus ransomware appeared first on Keone Software.

Get up-to-date information about the latest edition of the Crypt0L0cker ransomware and restore random 6-character extension files encrypted by this infection.

What is Crypt0L0cker ransomware?

Crypt0L0cker is one of the oldest copycats of the ransomware strain that came to denote file-encrypting malware as such. Its prototype called CryptoLocker is associated with the first major outbreak of this perpetrating software cluster in general. Discovered back in 2013, the infrastructure behind the original variant was dismantled in the course of a law enforcement effort dubbed Operation Tovar in May 2014. However, the malicious business model ended up moving on afterwards. The most harmful and widespread adherent of the bad craft was Crypt0L0cker, also known as TorrentLocker. Several iterations of this sample have been spotted in the wild over the past two years. One of them appended one’s files with the .encrypted extension, another one used the .enc string instead.

HOW_TO_RESTORE_FILES.html ransom note by the new Crypt0L0cker

The most recent Crypt0L0cker campaign was unleashed in late November 2016. It’s steadily gaining momentum as of now. Having encoded personal files on a computer, the infection concatenates a random 6-character extension to every ciphered entry. The original filename and extension stay invariable, so the renaming algorithm returns a file structure like this: document.docx.nhewpz. In contrast to some of the prevalent ransomware specimens out there which completely scramble filenames, this onslaught doesn’t prevent victims from working out what items have been affected. Nevertheless, the data is encrypted with a military-grade cryptographic standard that doesn’t yield to commonplace recovery mechanisms.

Crypt0L0cker leaves ransom notes called HOW_TO_RESTORE_FILES.html and HOW_TO_RESTORE_FILES.txt. The infected users won’t find it difficult to locate them as they will appear both on the desktop and inside encrypted paths on the machine. These manuals contain the following warning:

Warning
We have encrypted your files with Crypt0L0cker virus

– a really straightforward way to explain what happened. Their main objective, though, is to instruct victims how they can get their precious data back. Those contaminated are bound to literally buy the decryption for Bitcoins. The ransom is payable through a secret Tor (The Onion Router) page, with the URL being provided in the ransom notes. The recovery page indicates the amount of cryptocurrency for the buyout, which is typically somewhere between 0.5-1 BTC.

The way this crypto malady spreads is a no-brainer. The felons at the helm of the new campaign spawn numerous variants of spam emails to deliver the ransomware payload. Because these messages look like regular ISP notifications, invoices, newsletters or subscription cancellation requests, quite a few recipients get curious and open the malign attachments. This is an ambush that will get the unsuspecting user infected in no time. If Crypt0L0cker has sneaked its way into a PC, chances are the files will be restored via forensic techniques.

Automatic removal of Crypt0L0cker virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Crypt0L0cker virus removal tool

Recover files ciphered by the Crypt0L0cker ransomware

Option 2: Recovery tools
The research of Crypt0L0cker virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download Crypt0L0cker scanner and remover

The post Crypt0L0cker virus decrypt and removal tool appeared first on Keone Software.

Over the past few weeks, numerous computer users have been reporting ransomware attacks where files are encrypted and appended with the .wallet extension.

The concatenation of certain strings to filenames is one of the most explicit symptoms of a crypto ransomware compromise. This tactic is used to flag data entries that the troublemaking software holds hostage. Although this is an annoying encounter, it’s merely a concomitant effect. The inaccessibility of one’s personal information poses a much more serious predicament. Nonetheless, these extensions are like fingerprints and can shed light on the specific ransomware sample a user is confronted with. By knowing the strain, it may be possible to find a data restoration workaround. The .wallet extension, for instance, denotes the so-called Dharma ransomware family. Having encoded a victim’s files, this offending code variant adds the .[email_address].wallet string to each one. For instance, a document named Manual.pdf will assume a shape like Manual.pdf.[amagnus@india.com].wallet.

Encrypted .wallet extension files

There are several other extensions in Dharma’s arsenal, including .zzzzz and .dharma proper. The .wallet suffix, however, is the most widespread one at this point. The list of email addresses prepended to this extension is fairly broad as well. It includes interlock@india.com, amagnus@india.com, stopper@india.com, pay4help@india.com, worm01@india.com, funa@india.com, bitcoin143@india.com, lavandos@india.com, and lavandos@dr.com. The explanation of this is simple: there are multiple concurrent campaigns of Dharma ransomware distribution. Therefore, different cybercriminal groups indicate their contact details right in the crooked filenames. Keep in mind that no matter how illegal this business model is, it poses a huge darknet economy with its own affiliates, merchants, intermediaries and other interested parties.

The payload of the .wallet file virus mostly camouflages itself as an eye-catching email attachment, such as an invoice, job offer, banking fraud alert or ISP complaint. In other words, the fraudsters try to social-engineer users into opening the rogue email attachments. As soon as a targeted person opens one of these attached documents, the built-in JavaScript or VBA script instantly sets off the infection chain. Then, the ransomware determines what is to be encrypted on the computer’s hard disk and network shares. To this end, it scans all of these directories for popular formats of data.

The email address included in the affixed file attachments isn’t the only way to find out how to reach the adversary. The .wallet ransomware reiterates this information in the Readme.txt ransom notes, which are implanted into every folder with encrypted data. A copy will appear on the desktop as well. These notes with the decryption walkthrough are rather concise, only telling the victim that they got attacked and providing the email address to contact the hackers. Despite the fact that users can negotiate the size of the ransom, it normally won’t be lower than 1 Bitcoin. Instead of paying up and supporting the online extortion frenzy, first try the methods highlighted below.

Automatic removal of the .wallet file virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .wallet file virus removal tool

Recover .wallet files ciphered by the Dharma ransomware

Option 2: Recovery tools
The research of the .wallet virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Download .wallet ransomware scanner and remover

The post .Wallet file virus: decrypt and remove Dharma ransomware appeared first on Keone Software.

When a ransomware variant called Locky infects a computer, it displays a warning message saying that all files are encrypted with RSA-2048 and AES-128 ciphers.

There are ransomware attack occurrences where online crooks deliberately exaggerate the strength of data encryption in order to make the predicament look scarier than it actually is. Inflating the entropy of the decryption key is a prime example of this manipulation. What about the Locky ransomware case? This strain replaces a victim’s desktop wallpaper with the _WHAT_is.bmp image that says,

“All of your files are encrypted with RSA-2048 and AES-128 ciphers”

Is this alert true? Unfortunately yes. The Locky cyber-baddie first applies the symmetric AES (Advanced Encryption Standard) cryptosystem, which generates a secret key applicable for encoding and decoding alike. To further protect this AES key from being retrieved by a victim, the ransomware then encrypts it using asymmetric RSA-2048 algorithm. This one is yet tougher to crack.

RSA-2048 and AES-128 ciphers as part of the intimidation tactic

It’s quite easy to avoid the Locky ransomware, because its intrusion usually requires certain direct action on a user’s end. More specifically, the contamination won’t take place unless a potential prey opens a booby-trapped email attachment. This infection paradigm involves a botnet-powered spam campaign and malicious scripts delivered with these phishing emails. The payload proper arrives with a ZIP file disguised as a receipt, curriculum vitae, bill, invoice, order information, cancellation request, or job offer. When an unsuspecting recipient unpacks this archive, they will see a random-named JS or VBS file. Once double-clicked, this script triggers the perpetrating code execution routine. Long story short, all it takes to stay away from this crypto infection is to click responsibly, especially when it comes to email attachments.

Locky Decryptor page containing ransom info

Before Locky gets down to encrypting one’s data, it determines what exactly is subject to this encryption. To do it, the ransomware silently scans the hard disk, removable drives and network shares, comparing every file it encounters against a build-in database of popular extensions. Having thus worked out what to scramble, the offending program makes the files inaccessible through the use of the aforementioned RSA-2048 and AES-128 cryptographic standards. Filenames get replaced with 32 characters that are followed by the .zepto, .odin, .thor, .osiris etc. extensions.

Ransom notes called _WHAT_is.html and _WHAT_is.bmp will appear on the desktop and inside affected folders. Their purpose is to notify the infected user what they must do to decrypt their personal data. The final destination in this extortion webwork is a Tor gateway titled the “Locky Decryptor page”. It provides the victim with down-to-earth details regarding the ransom size and the ways to pay it. The amount is typically 0.5 BTC, which equals 357 USD at this point. Every victim who is unwilling to pay this ransom – hopefully that’s the overwhelming majority – should follow some of the best practices of white hat file recovery.

Automatic removal of the RSA-2048 and AES-128 virus

1. Download and install the cleaning tool and click the Start Computer Scan button

Download RSA-2048 and AES-128 ransomware removal tool

Recover files encrypted with RSA-2048 and AES-128 ciphers

Option 2: Recovery tools
The research of the RSA-2048 and AES-128 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.