A ransomware virus has appeared in the wild, created with the same name as the original Conflicker virus back in 2008-2009. The virus, detected in April 2017 encrypts files on the computers infected by it, after which drops behind a ransom note, named Decrypt.txt, demanding victims to pay a hefty ransom fee (0.5 BTC) to get their files back to working state. In case your computer has been infected by the Conflicker ransomware infection, reccomendations are to read the following article thoroughly.
|Short Description||Encrypts important files and asks for 0.5 BTC ransom payoff to be made.|
|Symptoms||Files are encrypted with the .conflicker file extension and an added decrypt.txt ransom note is added.|
See If Your System Has Been Affected by Conflicker
Malware Removal Tool
|User Experience||Join our forum to Discuss Conflicker.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.Conflicker File Virus – How Does It Spread
For the distribution of the Conflicker ransomware infection, the cyber-criminals behind the virus may take advantage of multiple different set of tools used in combination. These tools may include malicious web links, compromised e-mail addresses, fake e-mail accounts, exploit kits, web injectors, fake updates, self-extracting archives and others. Such may be used via spamming software to spread spam e-mails on a massive scale. Usually the spammed messages have deceitful character and they often aim to get users to either open an attachment on the e-mail or click on a malicious web link.
Other methods of spreading this malware may also include it’s uploading on torrent websites or software downloading sites that are suspicious or compromised. The virus may pose as a legitimate activator for different software, a key generator or a game crack.
.Conflicker Ransomware – Infection Process
The infection process of Conflicker is achieved by a dropper or a similar type of intermediary malware that is obfuscated and can successfully evade antivirus software. The way the infection works is once the user opens a malicious file or web link, the virus may drop it’s malicious files on several Windows directories, like the following:
The files are mostly executable and they also include the ransom note of Conflicker. They are reported to be the following:
- C_o_N_F_i_c_k_e_r Decryptor.exe
- winrar Setup 2017.exe
- winrar 2017.exe
In addition to dropping it’s malicious files, Conflicker ransomware may compromise the Windows Registry Editor, creating malicious registry values in some of the following sub-keys:
After the modification of the sub-keys is performed, the Conflicker ransomware may now run when Windows boots up.
Among the activities of Conflicker ransomware may me multiple others, like the deletion of any backups as well as shadow volume copies. This is achievable by executing the vssadmin and bcedit commands on Windows Command Prompt in quiet mode without the user noticing, for example:
After this has been completed, the Conflicker ransomware may begin the encryption process.
Conflicker Virus – Encryption
The process of encrypting files is orchestrated with the assistance of an encryption algorithm which aims to encode the files by replacing blocks of data in them. Once this is done, the files seem corrupt and can no longer be opened. After the encryption process is complete, the Conflicker threat may change the extensions of the encrypted files, making them appear like the image below:
For the encryption process, Conlficker ransomware may target important files, carefully avoiding Windows system files, so that the OS is intact. Among the encrypted files may be the following file extensions:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
After the encryption process is complete, the Conflicker virus may change the wallpaper on the affected computer and in addition to this drop a ransom note, named decrypt.txt. Both the wallpaper and the ransom note have the same message:
Attention! Attention! Attention! Your Files has been encrypted By C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
Send 0.5 Bitcoin To @ 1sUCn6JYa7B96t4nZz1tX5muU2W5YxCmS @
If Send 0.5 Bitcoin We will send you the decryption key C_o_N_F_i_c_k_e_r Decryptor
Remove Conflicker Virus and Restore .conflicker Encrypted Files
Before beginning the removal process of Conflicker ransomware, recommendations are to backup the encrypted files first. After this, advices are to focus on following the removal instructions down below. They are carefully designed to help you get rid of the malicious files by first isolating Conflicker in Safe Mode. For maximum effectiveness and proper removal, security experts recommend downloading and installing an advanced anti-malware program. It will automatically remove all malicious files related to Conflicker ransomware and protect the system against future infections as well.
For the restoration of files encrypted by Conflicker ransomware, we advise using the methods in step “2. Restore files encrypted by Conflicker” below. They are no guarantee all the files will be restored but you may recover a big portion of them, at least until a decryptor is released for free.
Manually delete Conflicker from your computer
Note! Substantial notification about the Conflicker threat: Manual removal of Conflicker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.