CuteRansomware is the name of a virus, which uses Google Docs to try and stay hidden from security software. It encrypts specific files. The extension this ransomware puts to all encrypted files is .encrypted in Chinese or 加密. To remove this ransomware virus and see how you can try to restore your files, you should read the article carefully.
|Short Description||The ransomware will encrypt all of your files, but may not always show a ransom note, depending on the variant. The file extensions which the ransomware searches to encrypt might be small in number, but not in importance.|
|Symptoms||The ransomware encrypts files and sets a new extension to each of them – .encrypted / . 加密.|
|Distribution Method||Spam Emails, File Sharing Networks|
See If Your System Has Been Affected by cuteRansomware
Malware Removal Tool
|User Experience||Join Our Forum to Discuss cuteRansomware.|
CuteRansomware – Infection Spread
CuteRansomware might be spread with spam emails. Such emails have file attachments. Said attachments might contain malicious code, so opening them is not advised. If opened, your computer will be infected in an instant before you can react in any way. Other ways of spreading the infection to your PC is through social media sites and file sharing networks. The malware which contains the payload could be put in one of those platforms. Avoiding infection is manageable if you are very careful with what you do online.
CuteRansomware – Technical Analysis
CuteRansomware is a crypto-virus that was detected by an AVG researcher. The virus is named after a string that is repeated many times in its code – cuteRansomware. It gained popularity a few days ago, and lots of security programs detected more activity around it.
The ransomware in actuality utilizes the code from a C Sharp (C#) application developed by Ma Shenghao. The code found on GitHub available for download under the name “my-Little-Ransomware” is mostly copy-pasted and used for encrypting people’s files. Little, but significant changes are made to the code. On GitHub, there is a description in Chinese, from which it becomes apparent that the virus can execute on every start of the Windows operating system. Also, it seems that it is targeting Chinese users as almost everything is written in Chinese.
The CuteRansomware may create the following registry key to enable the automatic boot from each start of the OS:
After encryption, the ransomware does not display a ransom note but rather a pop-up notification box, which states in Chinese that your files are encrypted. Researchers from Netskope have found that this variant again uses a Google Doc as a Command and Control (C&C) server to send the symmetric decryption key and avoid detection.
Image source: Netskope.com
Although, a new sample of the cuteRansomware is in fact detected by lots of security programs on the VirusTotal website:
Do not pay any ransom money that may be asked of you. Do not contact the cyber criminals if contact details are provided as there is no guarantee that that will lead to the decryption of your data or if they will even answer. Read further, to see ways in which you might be successful in restoring some files.
The CuteRansomware uses the RSA algorithm along with AES 128-bit ciphers for file encryption. The encryption and decryption keys are sent to the cyber crooks via Google Docs as mentioned above. In that way, they do not create an additional C&C server and avoid detection by security software.
The following extensions were encrypted by the original ransomware:
→.png, .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet. ai, .aif, .arw, .as, .as3, .asf, .asp, .asx, .avi, .bay, .bmp, .cdr, .cer, .class, .cpp, .cr2, .crt, .crw, .cs, .csv, .db, .dbf, .dcr, .der, .dng. doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxg, .efx, .eps, .erf, .fla, .flv, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg. jpg, .kdc, .m3u, .m3u8, .m4u, .max, .mdb, .mdf, .mef, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .mrw, .msg, .nef, .nrw, .odb, .odc, .odm, .odp, .ods. odt, .orf, .p12, .p7b, .p7c, .pdb, .pdf, .pef, .pem, .pfx, .php, .plb, .pmd, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel. prproj, .ps, .psd, .pst, .ptx, .r3d, .ra, .raf, .rar, .raw, .rb, .rtf, .rw2, .rwl, .sdf, .sldm, .sldx, .sql, .sr2, .srf, .srw, .svg, .swf, .tif, .vcf. vob, .wav, .wb2, .wma, .wmv, .wpd, .wps, .x3f, .xla, .xlam, .xlk, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip
The files which this version of the ransomware seeks to encrypt use some extensions from the above list as well as the following extensions:
→.bmp, .png, .jpg, .zip, .txt, .pdf, .pptx, .docx, .py, .cpp, .pcap, .enc, .pem, .csr
After the whole encrypting process is finished, files on your computer machine will have another extension appended to them – .encrypted or more accurately 加密.
Interestingly enough, in the description for the first version of the ransomware, it states that some files might be recoverable, only when their scrambled names are fixed.
The CuteRansomware virus is unknown whether it deletes Shadow Volume Copies from the Windows operating system. Continue reading the article to the end to find out what you can try to restore some of your files.
Remove CuteRansomware and Restore .Encrypted Files
If your computer machine got infected with the CuteRansomware virus, you should have some experience in removing malware. You should get rid of this ransomware. The recommended action for you to take is to remove the virus efficiently by following the step-by-step instructions guide provided down below.
Manually delete cuteRansomware from your computer
Note! Substantial notification about the cuteRansomware threat: Manual removal of cuteRansomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.