A new ransomware is infecting computers around the Web. Its name is Trun, and it adds an extension with the same name to files after encrypting them.
The ransomware aims to encrypt files with widely-used extensions. To remove it and see if you can decrypt your files, you should carefully read the whole article.
|Short Description||The ransomware encrypts files with an RSA algorithm and asks for a ransom to be paid for decrypting them.|
|Symptoms||Files are encrypted and cannot be accessed. A file with instructions for paying the ransom appears.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks|
|Detection tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Trun Ransomware|
|User Experience||Join our forum to discuss Trun Ransomware.|
Trun Ransomware – Delivery
The Trun ransomware uses a few methods for delivery to infect computers. One of them is through spam emails containing malicious files as attachments. Opening such an attachment automatically lets the malware inside a computer. Malicious code may be secretly put into the body of the email. So, just by opening such emails, you can get infected, even without opening an attachment.
Other delivery methods are via social networks and file sharing services, which may have the same attachments and files containing the Trun ransomware. It might be disguised as useful software, a needed update or something of the sort. Visiting unknown sites and redirects may lead to the malware infection as well.
Trun Ransomware – Technical Information
Trun is classified by researchers as ransomware. It is detected by some anti-malware programs as BAT/Agent.435. Once your computer is infected with it, the ransomware does a preparation before starting the encryption process. There is a Trojan horse which puts the following files in your computer:
- three .cmd files
- a .js file
- 4077430c_trun.KEY file
- trun.KEY file
- CONFIRMATION.KEY file
- trun.txt file
The Trojan may also set an entry in the Windows Registry to start automatically with every boot of Windows. This is the location where such an entry is usually set:
Trun spreads copies of the text file containing instructions for paying the ransom. The email left for contacting the cyber-criminals is firstname.lastname@example.org. Contacting them to pay for a possible decryption of your files is not advised for a number of reasons. There is no certainty your files are going to be decrypted if the key is even sent to you after payment. Also, if you pay ransomware creators, they will only come back with a worse version of the malware and a stronger encryption.
Next, Trun ransomware is known to search for and encrypt files with these extensions:
→ .doc, .txt, .xls, .xlsx, .xml, .docx, .html, .jpg, .js, .mdb, .odt, .pdf, .php, .png, .ppt, .pptx, .sql
This is not a full list as there might be other file extensions that can be encrypted. It sets the file extension of all encrypted files to .trun. Hence, its name is Trun. The encryption algorithm of the ransomware, according to its own instruction note, is an RSA one.
The Trun ransomware is of Russian origin, but it has hit users around the world.
At this moment, it is unknown if Shadow Volume Copies are deleted from the Windows operating system, but it is highly likely. Thus, after removing the ransomware, you should see the 4th section of the instructions written below for a few ways in which you can try restoring your files.
Remove Trun Ransomware and Restore .trun Encrypted Files
If you have been infected by Trun, you should have at least a little experience in removing malware. This ransomware can lock your files irreparably, so it is highly recommended that you act fast and follow the step-by-step guide provided down here: