Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Auinfo16 Ransomware and Restore .Zip Encrypted Files

fix-your-malware-problem-sensorstechforumA ransomware variant, belonging to the ACCDFISA type of ransomware viruses has been reported to be massively spread and heavily encrypt files of compromised computers. Research shows that the ransomware adds the file extension to “(!! to get email id password {Unique ID} to auinfo16@gmail.com !!)” to the files encrypted by it. It is also believed that this virus uses WinRar to archive the files in password-protected documents. After archiving the files, the Auinfo16 ransomware leaves them in a .zip format and may change their names. Users who have been infected by the Auinfo16 cyber-threat are strongly advised to read this article and learn how to remove this virus and try to get the files back.

Threat Summary

Name

Auinfo16

Type Ransomware
Short Description Encrypts user files with what appears to be AES encryption and ask ransom money for decryption varying from the hundreds to thousands of dollars.
Symptoms The user may witness various ransom notes dropped on the desktop, changed wallpaper and several legitimately looking Windows processes, like svchost.exe to be running with unknown license on the computer.
Distribution Method Via an Exploit kit, JavaScript, other malware or PUPs.
Detection Tool See If Your System Has Been Affected by Auinfo16

Download

Malware Removal Tool

User Experience Join our forum to Discuss Auinfo16 Ransomware.

Auinfo16 Ransomware – Spread

For it to infect users, Auinfo16 ransomware virus may use process obfuscators, exploit kits, JavaScript and other tools to hide its malicious payload while it is being dropped from any real-time protection on targeted computers.

In addition to this, Auinfo16’s creators may use spamming software or spamming services to send massive spam e-mail messages which may contain:

  • Malicious URLs that can cause browser redirects to drive-by-download web links that can infect the computer with Auinfo16.
  • Malicious attachments of heavily obfuscated executables or other types of files pretending to be legitimate Microsoft Office or Adobe Reader or other documents.

Another strategy to spread this ransomware virus is by using PUPs, like browser hijackers or adware, for example. Such programs are ad-supported software that comes via bundling on the victim’s computer and in some cases may have the ability to cause browser redirects to third-party web sites and URLs. If the creators of this PUP aim to make money not only via pay-per-click schemes but also by distributing malware, you may have become a victim as a result of this.

Auinfo16 Ransomware – In-Depth Information

Once executed on the victim’s computer, like the other variants of ACCDFISA ransomware, Auinfo16, may drop it’s malicious payload under the legitimate name svchost.exe (crucial Windows process). The payload may be located in a completely random named folder in the “C:” drive, for example:

→C:\{Random name}\svchost.exe

The virus may then create the following registry entry to make the malicious svchost.exe run on Windows boot up:

In the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, the value “C:\{Random name}\svchost.exe”

The Auinfo16 virus may also drop support files otherwise known as modules that may be hidden in other crucial Windows folders:

→%SystemDrive%
%SystemRoot%
%Temp%
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

Some of the files of previous variants of this ransomware have been reported to be with the following names and in the following locations by malware researchers:

→ %ProgramData%\local\ aescrypter.exe
%ProgramData%\local\ crdfoftrs.dll
%ProgramData%\local\ svchost.exe
%ProgramData%\local\ undxkpwvlk.dll
%ProgramData%\local\ vpkswnhisp.dll
%Users%\Public\Desktop\ how to decrypt aes files.lnk
%Windows%\SysWOW64\ csrsstub.exe
%Windows%\SysWOW64\ dcomcnfgui.exe
%Windows%\SysWOW64\ tcpsvcss.exe
%Windows%\SysWOW64\ tracerpts.exe
%Windows%\SysWOW64\ ucsvcsh.exe
%Windows%\SysWOW64\ wcmtstcsys.sss
%decrypt% decrypt.exe
how to decrypt aes files.lnk

After it’s encryption process runs, this virus may use protocols from WinRar to generate a unique method to archive the files with a password, which may then be sent to the servers of the cyber-criminals along with a unique identification number. This ID is mentioned in the file extension added to the files after encryption, for example, if the ID number is 111,111,111, encrypted files may look like the following:

encrypted-file-auinfo16-ransowmare-sensorstechforum

The Auinfo16 virus primarily hunts for files that are videos, pictures, documents, database files and even large image files. It may even be set to encrypt all files besides the crucial files by which Windows can run successfully.

After encryption, similar to the other ACCDFISA viruses, the wallpaper may be changed to the following picture:

ransomware-file-encryption-sensorstechforum-ransom-note-anti-child porn spam protection

Remove Auinfo16 Ransomware and Try Restoring the Files

As a bottom line, Auinfo16 ransomware should be immediately removed, instead of paying the ransom money. To do this successfully, we strongly advise you to follow the instructions posted below and delete Auinfor16 ransomware from your computer. For maximum effectiveness, experts advise using a more automatic approach and scanning the computer with anti-malware software to detect other threats if present and remove Auinfo16 fully and permanently.

Regarding file decryption, at this moment there is no solution released, but researchers are working on cracking this ransomware. The malware writers behind Auinfo16 have stated in other variants of this ACCDFISA ransomware that they have improved it’s encryption by using not one but two unique decryption keys, which makes direct decryption a risky process. This is why we advise you to be cautious when attempting the methods for file restoration in step “3. Restore files encrypted by Auinfo16” below and to make backups in case you attempt direct decryption.

Manually delete Auinfo16 from your computer

Note! Substantial notification about the Auinfo16 threat: Manual removal of Auinfo16 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Auinfo16 files and objects
2. Find malicious files created by Auinfo16 on your PC
3. Fix registry entries created by Auinfo16 on your PC

Automatically remove Auinfo16 by downloading an advanced anti-malware program

1. Remove Auinfo16 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Auinfo16 in the future
3. Restore files encrypted by Auinfo16
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.