Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Av666@weekendwarrior55(.)com Ransomware and Restore the Encrypted Files

A new ransomware reported with the domain weekendwarrior55(.)com redirecting to mail.ru has been reported to encrypt user files with random extensions. Users have increasingly begun complaining that the malicious program has corrupted their data. However, unlike other ransomware, this particular ransomware does not leave a ransom note and lets the victim contact the attacker by the email provided on the encrypted file as an extension or this backup email – cryfile@protonmail(.)com.

Name Av666@weekendwarrior55(.)com
Type Ransomware Trojan
Short Description The malicious threat infects users to encrypt their files and extort them with Bitcoins for the decryption.
Symptoms The user`s files become corrupt with a Av666@weekendwarrior55(.)com extension.
Distribution Method Via PUPs, installed by bundling (Browser Hijackers) or by visiting a suspicious third-party site that is advertising it.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by Av666@weekendwarrior55(.)com
User Experience Join our forum to discuss about the decryption of files encrypted by Av666@weekendwarrior55(.)com Ransomware .

shutterstock_152253701

Av666@weekendwarrior55(.)com Ransomware – How Does It Infect?

This ransomware has been reported on security forums to infect primarily Windows-based computers as well as server machines by email. What it does is it may attach a malicious attachment as a .zip or .rar or other archive formats containing the following file extensions:

.doc, .docx, .pdf, .xls, .jpg, .bmp

What is more, these files may contain malicious code or have another file in combination to them that may be of the following file extension:

.bat, .dll ,.tmp ,.exe

This is essentially the file that brings the payload on the victim`s computer.

Av666@weekendwarrior55(.)com Ransomware – More About It

Once activated, these are the most common locations where Av666@weekendwarrior55(.)com Ransomware may create its payload files that may be programmed to scan and encrypt data:

%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
%User%
%temp%

One of the files reported by users on Bleeping Computer forums have detected a .tmp file that may be disguised as an executable in the following location:

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\99DB.tmp

Malware researchers believe that the malware may also create registry entries with values set to run the executable 99DB.tmp and other malicious files spread by this ransomware trojan on system startup. This may happen in the following Windows Registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

After delivering its payload, the ransomware begins to scan for user files of different extensions. Users have reported the following types of files being encrypted by this devastating ransomware:

→.pdf, .csv, .xls, .jpg, .rtf, .doc

However, according to researchers the malware may also look for other file extensions to encrypt:

.cer .crt .db .dbf .der .doc .docm .docx .groups .kwm .mdb .mdf .pem .pwm .rtf .safe .sql .txt .xlk .xlsb .xlsm .xlsx

After encryption, the encrypted file looks like the following:

FILENAME.EXTENSION_id-RANDOMNUMBERS_id-1026927078_av666@weekendwarrior55.com

The specific detail that distinguishes @ type of ransomware that includes an email in the file extension is that they usually do not leave any ransom note after making files seem corrupt by encrypting them. The situation with Av666@weekendwarrior55(.)com is basically the same. One affected user at Kaldata.com forums has even tried contacting the cyber criminals on the questionable e-mail address provided. The conversation is as follows:

Ме:
Hello,
My files has been crypted on Friday, 27.11.2015.
Please, send me a decryptor to unlock my files.
The hijacker:
Hi
If you wish to get all your files back, you need to pay 3 bitcoins.
Go to localbitcoins dot com, it’s probably the easiest way, open an account,
buy bitcoins and then ask me for the address to send the bitcoins to.
Me:
Hi,
My friend, I am from Bulgaria. 3 bitcoins are my salary for two months.
If you agree I can pay 0.1.
The hijacker:
2 btc “

It is highly recommended NOT to try to pay the ransom money that are being suggested by the cyber criminals because of two main reasons:

  • You fund the cybercriminals to spread their ransomware and improve it.
  • There are methods to restore the files.

Removing Av666@weekendwarrior55(.)com Ransomware Fully From Your PC

To remove this ransomware and decrypt your files, you should copy the encrypted data on an external drive or upload it in the cloud. This is done just in case the ransomware is encoded to delete encrypted data or decryption keys if tampered with. Before following our instructions for restoring your files, you should try the step-by-step instructions after the article to remove all malicious files of the Av666@weekendwarrior55(.)com Ransomware.

1. Boot Your PC In Safe Mode to isolate and remove Av666@weekendwarrior55(.)com
2. Remove Av666@weekendwarrior55(.)com with SpyHunter Anti-Malware Tool
3. Remove Av666@weekendwarrior55(.)com with Malwarebytes Anti-Malware.
4. Remove Av666@weekendwarrior55(.)com with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Av666@weekendwarrior55(.)com in the future

Restoring Files Encrypted by Av666@weekendwarrior55(.)com Ransomware

In order to restore your files encrypted by Av666@weekendwarrior55(.)com ransomware successfully via volume shadow copies in Windows, please use the instructions below:

Method 1: Instructions to restore your files encrypted with Av666@weekendwarrior55(.)com extension.

Method 2: Decrypt your files using Volume Shadow Copies in Windows

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.