Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.Conflicker File Virus – Remove and Restore Files (Update April 2017)

Article created to help you remove the Conflicker ransomware and restore .conflicker encrypted files on your computer.

A ransomware virus has appeared in the wild, created with the same name as the original Conflicker virus back in 2008-2009. The virus, detected in April 2017 encrypts files on the computers infected by it, after which drops behind a ransom note, named Decrypt.txt, demanding victims to pay a hefty ransom fee (0.5 BTC) to get their files back to working state. In case your computer has been infected by the Conflicker ransomware infection, reccomendations are to read the following article thoroughly.

Threat Summary

Name

Conflicker

Type Ransomware
Short Description Encrypts important files and asks for 0.5 BTC ransom payoff to be made.

Symptoms Files are encrypted with the .conflicker file extension and an added decrypt.txt ransom note is added.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Conflicker

Download

Malware Removal Tool

User Experience Join our forum to Discuss Conflicker.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Conflicker File Virus – How Does It Spread

For the distribution of the Conflicker ransomware infection, the cyber-criminals behind the virus may take advantage of multiple different set of tools used in combination. These tools may include malicious web links, compromised e-mail addresses, fake e-mail accounts, exploit kits, web injectors, fake updates, self-extracting archives and others. Such may be used via spamming software to spread spam e-mails on a massive scale. Usually the spammed messages have deceitful character and they often aim to get users to either open an attachment on the e-mail or click on a malicious web link.

Other methods of spreading this malware may also include it’s uploading on torrent websites or software downloading sites that are suspicious or compromised. The virus may pose as a legitimate activator for different software, a key generator or a game crack.

.Conflicker Ransomware – Infection Process

The infection process of Conflicker is achieved by a dropper or a similar type of intermediary malware that is obfuscated and can successfully evade antivirus software. The way the infection works is once the user opens a malicious file or web link, the virus may drop it’s malicious files on several Windows directories, like the following:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %SystemDrive%
  • %Windows%
  • %System32%

The files are mostly executable and they also include the ransom note of Conflicker. They are reported to be the following:

  • ransomwarefineched.exe
  • Decrypt.txt
  • C_o_N_F_i_c_k_e_r Decryptor.exe
  • winrar Setup 2017.exe
  • winrar 2017.exe
  • conficker.exe

In addition to dropping it’s malicious files, Conflicker ransomware may compromise the Windows Registry Editor, creating malicious registry values in some of the following sub-keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After the modification of the sub-keys is performed, the Conflicker ransomware may now run when Windows boots up.

Among the activities of Conflicker ransomware may me multiple others, like the deletion of any backups as well as shadow volume copies. This is achievable by executing the vssadmin and bcedit commands on Windows Command Prompt in quiet mode without the user noticing, for example:

After this has been completed, the Conflicker ransomware may begin the encryption process.

Conflicker Virus – Encryption

The process of encrypting files is orchestrated with the assistance of an encryption algorithm which aims to encode the files by replacing blocks of data in them. Once this is done, the files seem corrupt and can no longer be opened. After the encryption process is complete, the Conflicker threat may change the extensions of the encrypted files, making them appear like the image below:

For the encryption process, Conlficker ransomware may target important files, carefully avoiding Windows system files, so that the OS is intact. Among the encrypted files may be the following file extensions:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After the encryption process is complete, the Conflicker virus may change the wallpaper on the affected computer and in addition to this drop a ransom note, named decrypt.txt. Both the wallpaper and the ransom note have the same message:

C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
#####
Attention! Attention! Attention! Your Files has been encrypted By C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
#####
Send 0.5 Bitcoin To @ 1sUCn6JYa7B96t4nZz1tX5muU2W5YxCmS @
#####
If Send 0.5 Bitcoin We will send you the decryption key C_o_N_F_i_c_k_e_r Decryptor
#####

Remove Conflicker Virus and Restore .conflicker Encrypted Files

Before beginning the removal process of Conflicker ransomware, recommendations are to backup the encrypted files first. After this, advices are to focus on following the removal instructions down below. They are carefully designed to help you get rid of the malicious files by first isolating Conflicker in Safe Mode. For maximum effectiveness and proper removal, security experts recommend downloading and installing an advanced anti-malware program. It will automatically remove all malicious files related to Conflicker ransomware and protect the system against future infections as well.

For the restoration of files encrypted by Conflicker ransomware, we advise using the methods in step “2. Restore files encrypted by Conflicker” below. They are no guarantee all the files will be restored but you may recover a big portion of them, at least until a decryptor is released for free.

Manually delete Conflicker from your computer

Note! Substantial notification about the Conflicker threat: Manual removal of Conflicker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Conflicker files and objects
2.Find malicious files created by Conflicker on your PC

Automatically remove Conflicker by downloading an advanced anti-malware program

1. Remove Conflicker with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Conflicker
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.