Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Dr. Jimbo Ransomware and Restore .encrypted Files

shutterstock_152253701New file encryption malware named Dr.Jimbo has been spotted to encode user data adding the .encrypted file extension to the encoded files. The ransomware uses a sophisticated encryption algorithm which changes the hex code of the files, making them inaccessible. It is not likely that Dr. Jimbo ransomware will spread on a massive scale in the future. But in case you have been infected with this ransom virus, we strongly advise you to read this article to learn how to remove this virus and try restoring your files without having to pay 2 BTC, which is demanded by the cyber-criminals of Dr.Jimbo.

Threat Summary

Name Dr.Jimbo
Type Ransomware
Short Description The ransomware encrypts files with an immensely strong cipher and asks a ransom payment for decryption.
Symptoms Files are enciphered and become inaccessible. A text file with ransom instructions is added.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Dr.Jimbo

Download

Malware Removal Tool

User Experience Join our forum to discuss Jimbo Ransomware.

Dr.Jimbo – How Does It Infect Users

To confirm a successful infection, Dr.Jimbo Ransomware has to successfully connect to the malicious server of the cyber-criminals. To do this, it may use a malicious executable dropped by a Trojan.Downloader, which can be masked as an:

  • E-mail attachment.
  • Fake setups of programs.
  • Fake game cracks or key generators.

In addition to that other types of attacks may be used, in correlation with malicious URLs being posted online or in spam messages:

  • Exploit kit attacks.
  • JavaScript attacks.

Dr.Jimbo – More About The Ransomware

After it slips past the defenses of the victim PC, most likely via using obfuscators, Dr.Jimbo may create malicious files in some of the following Windows folders:

  • %AppData%
  • %Roaming%
  • %Desktop%
  • %Temp%
  • %User’s Profile%

After creating the malicious files, Dr.Jimbo ransomware might as well create registry entries in order to make one or more files run every time Windows has started and change the wallpaper of the infected computer to one with a ransom note. Here are some of the probably targeted registry keys by Dr.Jimbo:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

The encryption process used by Dr.Jimbo may be taken from other ransomware viruses. As soon as it is activated the ransomware may start scanning the computer for different file types of commonly used files, for example:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

Encrypted files are no longer accessible and the file extension .encrypted is added to them. This very file extension has been reported to be seen with other ransomware viruses, like Crypren and Apocalypse viruses.
The encrypted files with such extension added to them may look like the following example:

Important Excel Document.xls.encrypted

The encryption cipher(algorithm) used to encrypt those files may be one of the following:

  • RSA
  • AES
  • XOR

After encryption, the ransomware drops the following file so that the user can see it:

  • How_to_decrypt.txt
  • The file states the following ransom message:

    Attention!
    All your data was Encrypted!
    If you wanna get it back contact via email:
    Dr.jimbo@bk.ru
    WARNING: If you don’t contact next 48 hours, then all DATA will be damaged unrecoverably!! !

    The domain of the malicious e-mail address strongly suggests that there may be Romanian involvement in the development or the usage of this virus to make a profit at the user’s expense. However, it may be a trick by the cyber-criminals to simply mask their real identity.

    The demanded payoff amount by Dr.Jimbo ransomware is reported to be in the range of 2 to 3 BitCoins – a hefty sum.

    Also, even though it is not confirmed, Dr.Jimbo ransomware may delete backups and file history from your computer, using the vssadmin command with one of its following parameters:

    /for=
    Specifies the volume for which the shadow copy is to be deleted.
    /oldest – Deletes the first shadow records.
    /all – Eradicates all copies of a volume, for example, C:
    /shadow={ID} – Removes shadow copy by identification.
    /quiet – A mode allowing it to run unnoticed.

    Source: technet.microsoft.com

    Remove Dr.Jimbo Ransomware and Try to Restore Encrypted Files

    To delete Dr.Jimbo Ransomware, we suggest you follow the step by step instructions which we have provided for you after this article. Since the ransomware may create different files and various malicious registry entries, experts advise eradicating it automatically with an advanced anti-malware program for maximum effectiveness.

    To try and restore your files, direct decryption will not work. You can, however, try some of the methods we have prepared in step “3.Restore Files Encrypted by Dr.Jimbo” below. They are not 100 percent effective but if you are lucky, haven’t reinstalled Windows or have backups, you may restore some of your files.

    Manually delete Dr.Jimbo from your computer

    Note! Substantial notification about the Dr.Jimbo threat: Manual removal of Dr.Jimbo requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

    1. Boot Your PC In Safe Mode to isolate and remove Dr.Jimbo files and objects
    2.Find malicious files created by Dr.Jimbo on your PC
    3.Fix registry entries created by Dr.Jimbo on your PC

    Automatically remove Dr.Jimbo by downloading an advanced anti-malware program

    1. Remove Dr.Jimbo with SpyHunter Anti-Malware Tool
    2. Back up your data to secure it against infections and file encryption by Dr.Jimbo in the future
    3. Restore files encrypted by Dr.Jimbo
    Optional: Using Alternative Anti-Malware Tools

    Vencislav Krustev

    A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

    More Posts - Website

    Share on Facebook Share
    Loading...
    Share on Twitter Tweet
    Loading...
    Share on Google Plus Share
    Loading...
    Share on Linkedin Share
    Loading...
    Share on Digg Share
    Share on Reddit Share
    Loading...
    Share on Stumbleupon Share
    Loading...
    Please wait...

    Subscribe to our newsletter

    Want to be notified when our article is published? Enter your email address and name below to be the first to know.