Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.Weencedufiles Virus (Remove and Decrypt Data)

Article created to help you delete the .weencedufiles virus and restore the damage done by it on your PC.

The SamSam ransomware has come out with yet another iteration, this time using READ-READ-READ.html ransom note and .weencedufiles file extension after the encryption has been complete. This ransomware infection aims to extort the victims of it with money in return for the access of the files that it renders no longer able to be opened. In case you have been infected by the .weencedufiles virus, recommendations are to focus on reading the following material which will help you remove it and try to get your files back.

Threat Summary

Name .weencedufiles File Virus
Type Ransomware
Short Description The ransomware encrypts files with RSA encryption cipher and asks a ransom payment of BTC for decryption.
Symptoms Files are encrypted with RSA encryption and become inaccessible with an added .weencedufiles file extension to them. A ransom note with instructions for paying the ransom shows as 000-PLEASE-READ-READ.html file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by .weencedufiles File Virus

Download

Malware Removal Tool

Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Weencedufiles Virus – More Information

This SamSam ransomware iteration is from the file encryption kind, meaning that it may use RSA encryption algorithm to make the files on you computer no longer openable.

.Weencedufiles Virus – How Did I Get Infected

This particular version of SamSam does not differ by much with the other versions of the malware. It uses different tactics to infect users. A tactic often used is a remote infection via a server that is hosted somewhere unknown. Some crooks even test defenses of the computers they are about to infect. This is also known as penetration testing. Such specific software gives the chance to make an infection remotely and conceal malicious infection files from conventional anti-virus software.

.Weencedufiles SamSam Version – More Information

Similar to the other SamSam(http://sensorstechforum.com/new-samsam-ransomware-remove-restore-vforvendetta-files/) iterations, this version also may engage in activities that derive from it’s code. One of those activities was reported to be PSExec. It is used to start different programs remotely after infection, just like a Trojan horse does. The tool is contained in a file that is dropped on the infected computers and is started automatically.

But .Weencedufiles virus does not end it’s Trojan activity there. The ransomware virus may also use a separate Trojan that has been detected with similar malware – the Samas trojan.

After an infection with this virus, an executable type of file is downloaded and saved on the infected computer. This malicious file aims to eradicate shadow copies and destroy other backups by running the following command:

→ vssadmin delete shadows /for={DrivePartition} [/oldest | /all | /shadow={Identification of the shadow copies}] [/quiet]

After it’s preparation is complete, SamSam may engage in activities that result in encrypting files that are often used. The file types may vary, but they are most likely some of the following file extensions:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

After a detection, the ransomware replaces bytes of the original files with bytes of the encryption algorithm. The encryption, believed to be RSA-2048 bit is a very strong cipher, used by the department of defence (DoD) for data security.

In case you have been visited by this version of the .weencedufiles virus, your files may look like the following after the encryption takes place:

To make sure the victim knows it’s presence as well as demands, this ransomware infection also drops a .html ransom note, named “READ-READ-READ”. It may ask to make a payment, most likely in BTC to the cyber-criminals so that they can unlock your files. Paying is not advisable in any circumstances.

SamSam .Weencedufiles Virus – Remove and Try Getting Back The Files

To fix the damage done by this nasty ransomware infection on your computer, recommendations are to focus on backing up the encrypted files first. Then, we advise you to follow the malware removal steps below. In case the manual removal is too difficult for you and you feel unconfident that you have removed the .Weencedufiles virus fully, experts always advise using an advanced anti-malware program to take care of the removal fully and automatically.

After already deleted .Weencedufiles ransomware, you can try using the alternative tools for decryption, which we have posted below at step “2. Restore files encrypted by .Weencedufiles file virus”. They are in no way 100% guaranteed to work, but they may help you recover at least some of the crucial files you want back.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.