A very dangerous RAT(Remote Access Trojan) has been reported to have capabilities to hold the computers of its victims for ransom. The Trojan has been reported to be spread primarily in North America and the UK. It has been the reason for over 100 arrests conducted by the law enforcement agencies, seizing over 1000 storage devices, SC Magazine reports. Users who have had their computers locked by BlackShades ransomware Trojan are strongly advised not to pay any ransom money and to seek alternative methods, such as the ones in this article to remove this Trojan and Restore the encrypted files.
|Type||Remote Access Trojan with file encryption capability.|
|Short Description||The ransomware encrypts files with a strong cipher and asks a ransom payment for decryption. Also steals information and may perform remote control activities on the infected machine.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom may show as a text file or a wallpaper.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
See If Your System Has Been Affected by BlackShades
Malware Removal Tool
|User Experience||Join our forum to Discuss Locky Ransomware.|
BlackShades Ransom Trojan – Distribution
This Trojan is remote access, which means that it uses an active connection by opening up a port and establishing a connection to the cybercriminal’s control server. To infect users and establish this connection, the Trojan uses the following malicious executable, detected by ESG researchers:
→ File Name: WinSecurity.exe
Size: 241,152 KB
Researchers believe that this executable may be distributed along fake setups of programs downloaded from shady third-party locations. However, another scenario suggests that the file may be in an obfuscated form and could be distributed in an archive uploaded online or via spam e-mail messages. Either way, users are strongly advised to follow the usual security tips to protect themselves against ransomware in the future.
BlackShades Ransom Trojan In Detail
Once activated on the computer, the WinSecurity.exe file may establish a connection to the C&C server of the cyber-criminals. From there, the Trojan may send the following information to them:
- Operating system installed.
- Hardware specs.
- Browsing history.
- Network information.
After this has been completed, the Trojan may disable any antivirus or anti-malware software that might be actively running. In addition to that the Trojan may provide the cyber criminals administrative access to your computer. Most RATs have even options which they give to the crooks, such as encrypting files. If the people behind the BlackShade Crypter Ransomware decide it is time to encrypt your files, they may execute a remote command that will make the malicious file to scan for different files to encrypt, for example:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
The encrypted files may have various file extensions added to them, and they are unable to be opened. In addition to that, the ransomware may lock the user out of his computer completely by modifying settings in the Windows Registry Editor.
Besides encrypting possibilities, the Trojan has been reported to be associated with the following files:
In addition to that, users may notice the Trojan’s presence by the following symptoms:
- The cursor of the mouse moves without being moved.
- The light of the web camera of the user becomes active.
- The monitor of the user turns off during usage.
- The usernames and passwords on the infected PC are changed.
- The files are unable to be opened, and a ransom note has been left for the unlocking of the files.
Researchers have reported that BlackShades is a very nasty cyber-threat because, besides having the ability to hold your files locked until you pay a hefty “fee,” the virus can also steal all of the information from infected PCs. If you become a “lucky winner” of the ransomware, bear in mind that you should immediately switch of your internet connection.
Remove BlackShades Ransomware Trojan and Restore the Encrypted Files
To remove this ransomware in full from your computer, you need to isolate it first. This means that you should boot your computer into safe mode to disable any third-parties running and from there, start the removal process. We suggest that you follow the removal instructions below, to delete the Trojan. Due to the complicatedness of the situation, experts advise using an advanced anti-malware tool to help you with the detection of all the registry entries and the files s this ransomware has dropped and modified on your computer.
If you have had your files encoded by the ransomware, we advise you to try using the file restoration alternatives In step “3. Restore files encrypted by BlackShades” while you wait for a decryptor to be released. Once a decryptor has been released, we will update this article with a download URL.
Manually delete BlackShades from your computer
Note! Substantial notification about the BlackShades threat: Manual removal of BlackShades requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.