Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Files1147@gmail(.)com, .breaking_bad

Another variant of the Shade Trojan ransomware has appeared lately and bears the name Files1147@gmail(.)com. That is the email provided by cybercriminals, for where the ransom money to be sent. The ransomware encrypts files with a .breaking_bad file extension. In the past, it has been given the names Trojan-Ransom.Win32.Shade and Ransom:Win32/Troldesh. It uses the same warning message as its previous variants.

STF-ransomware-files1147@gmail.com-shade-troldesh-.breaking_bad-breaking-bad

Name Files1147@gmail(.)com
Type Ransomware, Trojan
Short Description This ransomware is a newer variant of the Shade ransomware family.
Symptoms The Ransomware encrypts files and adds a .breaking_bad extension to them. It uses a gmail account for the ransom money to be received.
Distribution Method Exploit Kits, Spam Emails.
Detection tool Download Malware Removal Tool, to See If Your System Has Been Affected by Files1147@gmail(.)com
User Experience Join our forum to discuss the Files1147@gmail(.)com ransomware.

Files1147@gmail(.)com Distribution Ways

Exploit Kits

One way of distribution for the Files1147@gmail(.)com ransomware is through exploit kits, mainly – the Nuclear EK. Just visiting a site with an exloit kit injected into it is enough for your computer to get infected. Cyber crooks can put malicious code inside legitimate and non-legitimate websites as well. That code exploits a vulnerability of a browser or its extensions and add-ons. After a vulnerability is found, the ransomware is secretly installed on the computer. In almost all cases you will be unaware that it even happened.

Spam Emails

Another way this ransomware distributes itself is via spam emails. You will receive a short email with a malware file attached. If you open the attachment, the malware is then spread. The Files1147@gmail(.)com ransomware has been using the files for distribution from its previous variants – namely these:

  • doc_dlea podpisi.com
  • doc_dlea podpisi.rar
  • documenti_589965465_documenti.com
  • documenti_589965465_documenti.rar
  • documenti_589965465_doc.scr
  • doc_dlea podpisi.rar
  • неподтвержден 308853.scr
  • documenti dlea podpisi 05.08.2015.scr.exe
  • akt sverki za 17082015.scr

Although, be aware that the file names can have different variations, so that they can trick you.

Files1147@gmail(.)com Technical Details

The Files1147@gmail(.)com ransomware seems to behave very similarly as its other known variants. The technical name of the first Shade ransomware variant is labeled as Trojan-Ransom.Win32.Shade by some researchers and Ransom:Win32/Troldesh by others.

Once the ransomware is on a compromised computer, it connects to a remote command & control (C&C) server in the Tor network. From there, it notifies the server and requests an RSA-3072 algorithm key so it can use it to encrypt files. Encrypted files have the extension .breaking_bad. However, if the connection is unsuccessful, the Files1147@gmail(.)com ransomware will choose 1 of 100 keys, stored within its code.

When the process is complete, files with the following extensions will be encrypted:

→.3ds .3fr .3g2 .3gp .7z .accda .accdb .accdc .accde .accdt .accdw .adb .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .anim .arw .as .asa .asc .ascx .asm .asmx .asp .aspx .asr .asx .avi .avs .backup .bak .bay .bd .bin .bmp .bz2 .c .cdr .cer .cf .cfc .cfm .cfml .cfu .chm .cin .class .clx .config .cpp .cr2 .crt .crw .cs .css .csv .cub .dae .dat .db .dbf .dbx .dc3 .dcm .dcr .der .dib .dic .dif .divx .djvu .dng .doc .docm .docx .dot .dotm .dotx .dpx .dqy .dsn .dt .dtd .dwg .dwt .dx .dxf .edml .efd .elf .emf .emz .epf .eps .epsf .epsp .erf .exr .f4v .fido .flm .flv .frm .fxg .geo .gif .grs .gz .h .hdr .hpp .hta .htc .htm .html .icb .ics .iff .inc .indd .ini .iqy .j2c .j2k .java .jp2 .jpc .jpe .jpeg .jpf .jpg .jpx .js .jsf .json .jsp .kdc .kmz .kwm .lasso .lbi .lgf .lgp .log .m1v .m4a .m4v .max .md .mda .mdb .mde .mdf .mdw .mef .mft .mfw .mht .mhtml .mka .mkidx .mkv .mos .mov .mp3 .mp4 .mpeg .mpg .mpv .mrw .msg .mxl .myd .myi .nef .nrw .obj .odb .odc .odm .odp .ods .oft .one .onepkg .onetoc2 .opt .oqy .orf .p12 .p7b .p7c .pam .pbm .pct .pcx .pdd .pdf .pdp .pef .pem .pff .pfm .pfx .pgm .php .php3 .php4 .php5 .phtml .pict .pl .pls .pm .png .pnm .pot .potm .potx .ppa .ppam .ppm .pps .ppsm .ppt .pptm .pptx .prn .ps .psb .psd .pst .ptx .pub .pwm .pxr .py .qt .r3d .raf .rar .raw .rdf .rgbe .rle .rqy .rss .rtf .rw2 .rwl .safe .sct .sdpx .shtm .shtml .slk .sln .sql .sr2 .srf .srw .ssi .st .stm .svg .svgz .swf .tab .tar .tbb .tbi .tbk .tdi .tga .thmx .tif .tiff .tld .torrent .tpl .txt .u3d .udl .uxdc .vb .vbs .vcs .vda .vdr .vdw .vdx .vrp .vsd .vss .vst .vsw .vsx .vtm .vtml .vtx .wb2 .wav .wbm .wbmp .wim .wmf .wml .wmv .wpd .wps .x3f .xl .xla .xlam .xlk .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xps .xsd .xsf .xsl .xslt .xsn .xtp .xtp2 .xyze .xz .zip

After the files are encrypted, the following message will be left as a desktop image:

All the important files on your computer were encrypted.
The details can be found in README.txt files
which you can find on any of your disks.

The ransom request will be left in 10 README.txt documents. All of them contain one and the same text inside, such as the following example:

Ваши файлы были зашифрованы.
Чтобы расшифровать их, Вам необходимо отправить код:
667EBB7E9D12BE9C733C|0
на электронный адрес files1147@gmail.com .
Далее вы получите все необходимые инструкции.
Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
667EBB7E9D12BE9C733C|0
to e-mail address files1147@gmail.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.

Important!

It is essential to note the attacks of Files1147@gmail(.)com don’t stop here. Its process creates an infinite loop of malware infections by contacting the C&C server and obtains a list of malicious URLs. This is commonly referred to as a download bot.

According to malware researchers, malware of the following families is frequently downloaded:

  • Trojan.Win32.CMSBrute
  • Trojan.Win32.Miuref
  • Trojan.Win32.Kovter
  • Trojan-Downloader.Win32.Zemot

Judging by the extension and that it is working in collaboration with other malware, it can be assumed it also works together with the Los Pollos Hermanos ransomware.

Files1147@gmail(.)com Removal

If you have been infected by the Files1147@gmail(.)com ransomware, you should have at least some experience in removing viruses. The Trojan is made to download malware of different families, so it is highly recommended that you carefully follow the instructions provided below:

1. Boot Your PC In Safe Mode to isolate and remove Files1147@gmail(.)com
2. Remove Files1147@gmail(.)com with SpyHunter Anti-Malware Tool
3. Remove Files1147@gmail(.)com with Malwarebytes Anti-Malware.
4. Remove Files1147@gmail(.)com with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Files1147@gmail(.)com in the future
NOTE! Substantial notification about the Files1147@gmail(.)com threat: Manual removal of Files1147@gmail(.)com requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.