Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove AiraCrop Virus and Restore ._AiraCropEncrypted! Files

shutterstock_152253701Ransomware virus, called AiraCrop that has been reported to encrypt servers is the reason for several reports of users, primarily about encrypted servers. The virus uses the ._AiraCropEncrypted! file extension to encipher files and the algorithms RSA and AES are being used in combination to make data of those files inaccessible. After encryption, the virus leaves a ransom note that contains instructions on how to visit Tor-based web pages and follow further steps to pay a ransom fee and hopefully restore the encrypted files. Users infected by AiraCrop ransomware are strongly advised not to pay any ransom and read the information in this article to learn how to remove AiraCrop encrypted files.

Threat Summary

Name

AiraCrop

Type Ransomware
Short Description The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes all linking to a web page and a decryptor or an e-mail address. Changed file names and the file-extension ._AiraCropEncrypted! is added to the enciphered files.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by AiraCrop

Download

Malware Removal Tool

User Experience Join our forum to Discuss AiraCrop Ransomware.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does AiraCrop Spread

To cause successful infection, AiraCrop ransomware uses several different methods that if combined ensure successful infection. These tools may be the following:

  • Spam bots to spread the virus files.
  • Malicious servers for command and control. (C2)
  • Malicious obfuscators that aim to hide the payload and infection from security software.
  • Evasive tools.
  • Exploit kits or JavaScript files.

To successfully execute this the ones who spam AirCrop ransomware may undertake massive spam campaign either by themselves by sending messages one by one or by using special e-mail spammer bot. They might also use third-party services to spread the malware for payment or percentage. The malware may be disguised as a legitimate file in a phishing e-mail that resembles a document an image or anything that can fool the average user. However, the virus also infects servers which also suggest several other scenarios on how it may be spread, for example:

  • Via social media.
  • Via cloud services.
  • Hands-on approach if the attack is targeted.
  • Fake setup files.
  • Malicious archived files.

AiraCrop Ransomware – More Information

Once AiraCrop has been installed on an infected computer or server the virus may immediately begin to modify it’s settings, setting it’s files to run and encrypt automatically on Windows Boot after it downloads them from a third-party host quietly.

After the encryption module of the AiraCrop threat has ran, it immediately gets down to business and begins to encrypt a variety of file types, primarily related to:

  • Archives.
  • Videos.
  • Images.
  • Audio files.
  • Microsoft Office documents.
  • Adobe Reader types of files.

The ransomware claims to use one of the strongest stables at this point ciphers which are believed to be AES-256 and RSA-2048 encryption algorithms to encrypt the files. One algorithm (AES) may be used to encrypt the files and then generate a unique decryption key. This decryption key can then be additionally encrypted with the other (RSA) cipher. Then the unique decryption key which is usually divided by public and private is copied and sent to the control servers of cyber-criminals who are behind AiraCrop ransomware. The files that are encoded are left to look like corrupt, and they can no longer be opened. The unique ._AiraCropEncrypted! file extension is added to them, for example:

encrypted-file-airacrop-ransowmare-sensorstechforum

After encryption, the AiraCrop virus leaves it’s distinctive ransom note, reported by victims on security forums to be the following:

→ “Encrypted Files!
All your files are encrypted. Using encryption AES256-bit and RSA-2048-bit.
Making it impossible to recover the files without the correct private key.
If you are interested in getting is key, and retrieve your files
visit one of the link and enter your key;
https://6kaqkavhpu5dln6x.onion.to/
https://6kaqkavhpu5dln6x.onion.link/
https://mvy3kbqc4adhosdy.onion.to/
https://mvy3kbqc4adhosdy.onion.link/
Alternative link:
http://6kaqkavhpu5dln6x.onion
http://mvy3kbqc4adhosdy.onion
To access the alternate link is mandatory to use the TOR browser available on the link
https://www.torproject.org/download/download
Key:
{UNIQUE DECRYPTION KEY}”

Remove AiraCrop Ransomware and Restore Your Files

The bottom line is that this virus may be a ransomware used in targeted attacks specifically for servers, but it may have several other variants used for users as well. This is why malware researchers strongly advise users to be very careful while removing the virus and to back up the encrypted files in case they do not want to pay the ransom. Paying the ransom is also not recommended primarily because it is no guarantee you will receive your files back and it is also not guarantee they will want more.

To remove the AiraCrop ransomware yourself it is strongly advisable to follow our removal instructions below. The virus can be removed manually if you have the experience, but we strongly advise you to do it automatically using an advanced anti-malware program that will allow for the complete removal of the ransomware and the detection of other malware and unwanted software as well.

If you are looking for methods on how to restore your files, we have posted several alternative solutions below which should help you restore at least some of the files. Bear in mind that the methods may work for some situations, but they may fail at others, so backup your files and hope for the best.

Manually delete AiraCrop from your computer

Note! Substantial notification about the AiraCrop threat: Manual removal of AiraCrop requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove AiraCrop files and objects
2.Find malicious files created by AiraCrop on your PC

Automatically remove AiraCrop by downloading an advanced anti-malware program

1. Remove AiraCrop with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by AiraCrop
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.