A new ransomware reported with the domain weekendwarrior55(.)com redirecting to mail.ru has been reported to encrypt user files with random extensions. Users have increasingly begun complaining that the malicious program has corrupted their data. However, unlike other ransomware, this particular ransomware does not leave a ransom note and lets the victim contact the attacker by the email provided on the encrypted file as an extension or this backup email – cryfile@protonmail(.)com.
|Short Description||The malicious threat infects users to encrypt their files and extort them with Bitcoins for the decryption.|
|Symptoms||The user`s files become corrupt with a Av666@weekendwarrior55(.)com extension.|
|Distribution Method||Via PUPs, installed by bundling (Browser Hijackers) or by visiting a suspicious third-party site that is advertising it.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Av666@weekendwarrior55(.)com|
|User Experience||Join our forum to discuss about the decryption of files encrypted by Av666@weekendwarrior55(.)com Ransomware .|
Av666@weekendwarrior55(.)com Ransomware – How Does It Infect?
This ransomware has been reported on security forums to infect primarily Windows-based computers as well as server machines by email. What it does is it may attach a malicious attachment as a .zip or .rar or other archive formats containing the following file extensions:
→.doc, .docx, .pdf, .xls, .jpg, .bmp
What is more, these files may contain malicious code or have another file in combination to them that may be of the following file extension:
→.bat, .dll ,.tmp ,.exe
This is essentially the file that brings the payload on the victim`s computer.
Av666@weekendwarrior55(.)com Ransomware – More About It
Once activated, these are the most common locations where Av666@weekendwarrior55(.)com Ransomware may create its payload files that may be programmed to scan and encrypt data:
One of the files reported by users on Bleeping Computer forums have detected a .tmp file that may be disguised as an executable in the following location:
Malware researchers believe that the malware may also create registry entries with values set to run the executable 99DB.tmp and other malicious files spread by this ransomware trojan on system startup. This may happen in the following Windows Registry entry:
After delivering its payload, the ransomware begins to scan for user files of different extensions. Users have reported the following types of files being encrypted by this devastating ransomware:
→.pdf, .csv, .xls, .jpg, .rtf, .doc
However, according to researchers the malware may also look for other file extensions to encrypt:
→.cer .crt .db .dbf .der .doc .docm .docx .groups .kwm .mdb .mdf .pem .pwm .rtf .safe .sql .txt .xlk .xlsb .xlsm .xlsx
After encryption, the encrypted file looks like the following:
The specific detail that distinguishes @ type of ransomware that includes an email in the file extension is that they usually do not leave any ransom note after making files seem corrupt by encrypting them. The situation with Av666@weekendwarrior55(.)com is basically the same. One affected user at Kaldata.com forums has even tried contacting the cyber criminals on the questionable e-mail address provided. The conversation is as follows:
My files has been crypted on Friday, 27.11.2015.
Please, send me a decryptor to unlock my files.
If you wish to get all your files back, you need to pay 3 bitcoins.
Go to localbitcoins dot com, it’s probably the easiest way, open an account,
buy bitcoins and then ask me for the address to send the bitcoins to.
My friend, I am from Bulgaria. 3 bitcoins are my salary for two months.
If you agree I can pay 0.1.
2 btc “
It is highly recommended NOT to try to pay the ransom money that are being suggested by the cyber criminals because of two main reasons:
- You fund the cybercriminals to spread their ransomware and improve it.
- There are methods to restore the files.
Removing Av666@weekendwarrior55(.)com Ransomware Fully From Your PC
To remove this ransomware and decrypt your files, you should copy the encrypted data on an external drive or upload it in the cloud. This is done just in case the ransomware is encoded to delete encrypted data or decryption keys if tampered with. Before following our instructions for restoring your files, you should try the step-by-step instructions after the article to remove all malicious files of the Av666@weekendwarrior55(.)com Ransomware.
Restoring Files Encrypted by Av666@weekendwarrior55(.)com Ransomware
In order to restore your files encrypted by Av666@weekendwarrior55(.)com ransomware successfully via volume shadow copies in Windows, please use the instructions below: