Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove RemindMe Ransomware and Restore .Remind Encrypted Files

A new ransomware has been reported by affected users on security forums to encode the files on infected computers impenetrable encryption algorithm. This devastating malware is called RemindMe ransomware, and it uses the .remind extension which it appends on the encoded files. All users who have had their computers infected with the ransomware are strongly advised not to pay the 2BTC (around 800 USD) ransom money that the cyber-criminals demand in their ransom message and wait for an alternative or try the reserve instructions after this article.

Name RemindMe
Type Ransomware
Short Description Encrypts the infected user PC’s files and asks for approximately 2 BTC to decrypt them.
Symptoms The user may witness his files encrypted with the .remind file extension.
Distribution Method Via malicious urls, exploit kits, trojans and malicious macros.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by RemindMe
User Experience Join our forum to discuss RemindMe.

ransom-note

RemindMe Ransomware – How Is It Spread

So far, little is known about how RemindMe ransomware spreads but, research experts believe that it takes advantage of the carelessness in some users. The ransomware may use malicious URLs or files which it may advertise via:

The infected documents are usually Microsoft Office or Adobe .pdf documents which contain malicious macros that have exploit kits or other scripts written to drop the malicious .exe of RemindMe onto the user PC.

RemindMe Ransomware In Detail

At its initial state, the RemindMe ransomware may drop one or more files of the following file formats:

→ .exe; .dll; .tmp; .vbs; .bat; .cmd

The dropped files may have different names, and they are usually located in the most frequently targeted Windows key folders:

commonly used file names and folders

After the malicious data has been dropped onto the infected computer, the ransomware may execute an elevated privilege command in the Windows command prompt which may erase the shadow volume copies and the backup of the infected computer. The command is as follows:

→ vssadmin delete shadows /for={DrivePartition} [/oldest | /all | /shadow={Identification of the shadow copies}] [/quiet]

The ransomware may perform other activities such as set its executable that encrypts files or its ransom note files to run every time you start Windows by adding values to the following registry subkey:

→ “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”

After modifying the settings, the ransomware may execute a “call” script which could launch the executable which scans for the files to encrypted. The file types which RemindMe Ransomware is likely to encrypt are the most frequently used ones.(LINKKK)

The algorithms that may be used by this ransomware may vary, but the strongest and most often used ones are:

  • RSA cypher.
  • AES cypher.

After encrypting the files, RemindMe ransomware appends the .Remind file extension to the files, for example:

  • New Text Document.txt.remind

After encrypting the data, the ransomware leaves a ransom message, also known as a ransom note. The files that are reported by infected users are:

  • decypt_your_files.html
  • decypt_your_files

The ransom message by RemindMe is as follows:

→ “All your files have been encrypted with RemindMe Ransomware
Your unique GUID for decrypt:{custom identificator}
Send me some 2 bitcoin on addres: {cyberciminal’s payment account details}
After confirming the payment, all your files can be decrypted.
I you do not make payment within 5 days, you will lose the ability to decrypt them AND ALL YOUR FILES HAVE BEEN DELETED.
Make your Bitcoin Wallet on: {links to BitCoin wallet services}
How to buy/sell and send Bitcoin:
{links to support.coinbase.com instructions}
After the payment, send the wallet from which paid and your uniq ID to mail: unrasom@me.com {cyber criminals’ email}
After receiving the payment, we will contact and give you decryption tools and faq how to decrypt your files.”

By analyzing the ransom message, this malware is most likely similar to most ransomware variants with the only difference that it demands significantly more money to decrypt the data (2 BTC). The malware is also poorly written, which means that there is a possibility that it is being used as a part of a RaaS scheme (Ransomware as a Service). Such schemes sell ransomware variants to absolutely anyone for a couple of hundreds of dollars. They also allow the cyber-crooks to customize the ransom note, algorithm and extension.

Remove RemindMe Ransomware and Restore the Encrypted Files

To clean your computer from this devastating malware, we strongly advise you to consider several key factors:

  • Backing up the encrypted files before removing it.
  • Trying to negotiate for free decryption of 1 or more files via email with the cyber-criminals.
  • Removing the ransomware with an anti-malware tool without having to reinstall Windows and format the drive, so that you can try and use data recovery software or other alternatives to restore your files.

We have created removal instructions below to help you cope with the removal of RemindMe effectively, and it is recommended to follow them methodologically.

Regarding the decryption of the data, at this point, the is no successful solution since RemindMe is a relatively new ransomware strain and its encryption cypher has not yet been identified. We will post an update as soon as this malware has been spotted, so make sure to follow our forum for solutions. Otherwise, we also recommend following the alternative methods from step number “4. Restore Files Encrypted by RemindMe” to attempt recovering at least a portion of the data.

1. Boot Your PC In Safe Mode to isolate and remove RemindMe
2. Remove RemindMe with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by RemindMe in the future
4. Restore files encrypted by RemindMe
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the RemindMe threat: Manual removal of RemindMe requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.