Yet another version of the notorious GlobeImposter ransomware has come out in the wild. Similar to the prevous ..726 and .725 file extensions, this infection also uses a 3 digit number for the files it encrypts. The .492 file virus’s main purpose is to encrypt the files on the compromised computer after which extort the victims into paying a hefty ransom fee to get the files back. If you are one of the victims of this ransomware virus, we recommend that you read this article completely and learn how to remove this virus and how to try and get your data back without having to pay a ransom.
|Name||.492 File Virus|
|Short Description||Encrypts the files on the infected computer, displaying a ransom note which aims to extort victims into paying a hefty ransom fee.|
|Symptoms||The virus encrypts the files, adding the .492 file extension, after which drops a ransom note file, named here_your_files!.html|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by .492 File Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .492 File Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does .492 File Virus Infect
The infection process of the .492 ransomware is conducted via e-mail. More specifically, the cyber-criminals who are behind this virus aim to send massive waves of spam e-mails to a pre-configured list of victims to spam. The e-mails pretend to be legitimate payment receipts, however instead of such receipts, the victim opens the infection file of .492 ransomware. Here is one reported case of spam e-mail spreading GlobeImposter ransomware:
Other form of e-mail spam associated with the .492 globeimposter variants is spreading the malicious file with a blank slate e-mail spam. This means that the message being sent does not contain any topic or text, only the malicious e-mail attachment. The blank slate e-mail spam has been detected by malware researchers to spread the malicious file of .492 ransomware, that has the following details, as reported in VirusTotal:
.492 File Virus – Activity
The .492 ransomware is the type of malware you do not want to have infecting your computer system. After infection it attacks different aspects of Windows, all starting with opening it’s malicious processes that grant it control over your computer. After it has done this, it may use it’s administrative power to perform a series of malicious activities on your computer.
One such activity is to execute a batch file (.bat) that has the following commands within it:
→ @echo off
vssadmin.exe Delete Shadows /All /Quiet
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers” /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”
attrib Default.rdp -s -h
for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl
The functions of those commands are to heavily modify the Windows Registry Editor with it’s added registry entires in order to automatically execute malicous processes. Another activity from those commands is to delete the Shadow Volume Copies on your computer so that you are unable to restore your files via this method.
One malicious process is reported to have the function, called “CREATE_SUSPENDED”. This function creates suspended processes which are replaced with a malicious code that has previously been extracted.
When this code has previously been extracted, the malicious process’ function is to execute it without you noticing any of this activity. The malicious process may pretend to be a text file, but is actually an executable type of file, hence you may notice it by the double extension – .txt.exe.
The modification, performed by this malicious process, attacks a significant part of Windows, that changes it’s sleep settings. It attacks the Power Options, setting the Windows computer’s Sleep settings to “Never” while the .492 ransomware virus performs it’s malicious activity.
The .492 GlobeImposter virus has also been configured to prevent malware researchers to analyze it while it is running, by encrypting most strings and part of it’s APIs(Application Programming). After having “set up the ground” for the damage it’s about to do, the .492 ransomware variant begins to encrypt the files on the infected computer.
.492 Ransomware – Encryption Analysis
The encryption process of .492 file virus is a very clever one, as the ransomware encrypts only specific files in only specific folders. For starters, the .492 file extension ransomware uses a “White List” or an exclusion list of folders in which it skips encrypting data. These folders are important folders for the proper functioning of the Windows computer after it has encrypted the important files in it. The folders which it has excluded from encryption are the following:
Windows, Microsoft, Microsoft Help, Windows App Certification Kit, Windows Defender, ESET, COMODO, Windows NT, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Temp, NVIDIA Corporation, Microsoft.NET, Internet Explorer, Kaspersky Lab, McAfee, Avira, spytech software, sysconfig, Avast, Dr.Web, Symantec, Symantec_Client_Security, system volume information, AVG, Microsoft Shared, Common Files, Outlook Express, Movie Maker, Chrome, Mozilla Firefox, Opera, YandexBrowser, ntldr, Wsus, ProgramData.
While those folders are fortunatey excluded, the .492 ransomware does not have any mercy for files that are audio, video, database, image and other file types. The total file extensions it attacks are 170 and are as reported by Xiaopeng Zhang at Fortinet, the following:
→ .$er .4db .4dd .4d .4mp .abs .abx .accdb .accdc .accde .accdr .accdt .accdw .accft .adn .adp .aft .ahd .alf .ask .awdb .azz .bdb .bib .bnd .bok .btr .cdb .cdb .cdb .ckp .clkw .cma .crd .daconnections .dacpac .dad .dadiagrams .daf .daschema .db .db-shm .db-wa .db2 .db3 .dbc .dbf .dbf .dbk .dbs .dbt .dbv .dbx .dcb .dct .dcx .dd .df1 .dmo .dnc .dp1 .dqy .dsk .dsn .dta .dtsx .dx .eco .ecx .edb .emd .eq .fcd .fdb .fic .fid .fi .fm5 .fmp .fmp12 .fmps .fo .fp3 .fp4 .fp5 .fp7 .fpt .fzb .fzv .gdb .gwi .hdb .his .ib .idc .ihx .itdb .itw .jtx .kdb .lgc .maq .mdb .mdbhtm .mdf .mdn .mdt .mrg .mud .mwb .myd .ndf .ns2 .ns3 .ns4 .nsf .nv2 .nyf .oce .odb .oqy .ora .orx .owc .owg .oyx .p96 .p97 .pan .pdb .pdm .phm .pnz .pth .pwa .qpx .qry .qvd .rctd .rdb .rpd .rsd .sbf .sdb .sdf .spq .sqb .sq .sqlite .sqlite3 .sqlitedb .str .tcx .tdt .te .teacher .tmd .trm .udb .usr .v12 .vdb .vpd .wdb .wmdb .xdb .xld .xlgc .zdb .zdc
After the encryption process has completed, the ransomware virus does not forget to change the default file types to it’s own one, making the files to appear like the following:
The .492 ransomware also does not forget to drop it’s extortion ransom note, named here_your_files!.html:
How to Remove .492 Virus and Recover Files
Before beginning to remove this ransomware virus from your computer, we would suggest to focus on backing up your encrypted files beforehand.
After having backed up all your files, you can proceed with the removal process of .492 ransomware virus by following the removal instructions below. If manual instructions represent a difficulty, the best method to remove .492 ransomware fully, according to experts in the field, is to use a ransomware specific anti-malware software. Such will ensure for a full and safe removal and protect your computer in the future as well.
If you want to restore your files in the event that they have the .492 file extension, we recommend trying out our alternative methods and tools suggested in step “2. Restore files encrypted by .492 File Virus” below. They may not be with 100% success rate but will make sure that you restore as many files as possible.