The article will aid you remove the .Asasin File Virus in full. Follow the ransomware removal instructions given at the end of this article.
.Asasin File Virus is Locky’s latest ransomware iteration which appends the .Asasin extension to all encrypted files. Your computer system can become infected resulting from you opening an email attachment that contains a malicious link which loads automatically upon opening the attached file. Apparently, the changes in this version of the virus are in its email invoice messages, payload domains and variations in the payment price. Continue to read and check if you can potentially restore your files below.
|Name||.Asasin File Virus|
|Short Description||The .Asasin file virus is the latest spreading variant of Locky ransomware. The cryptovirus has minor changes in its email invoices and payload domains and payment price.|
|Symptoms||Your files get encrypted and receive the .asasin extension appended to their names. You see a ransom note with instructions which states that the encryption which is used is both AES and RSA.|
|Distribution Method||Phishing Email Campaigns with File Attachments, Malicious Domains|
See If Your System Has Been Affected by .Asasin File Virus
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .Asasin File Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.Asasin File Virus – Distribution Techniques
The main variant of the .Asasin File Virus propagates itself via e-mail spam campaigns. The e-mail has a subject that reads “Document invoice_21637_sign_and_return.pdf is complete”. Inside there is a .7z or a .7zip attached file which is not properly added to the email and seen as a base64 code, so most people would see it as a text and won’t even know that it is an attachment. If the malware authors fix it, you will be able to see and open it, thus loading a VBS script in that way. The script will download the virus payload from a malicious domain. Your computer machine gets infected in a matter of seconds, getting your files encrypted. The text of the e-mail message should be the following if it loads correctly:
This document has been signed and is now complete.
In the near future you can expect similar e-mails to appear.
Below you can see the new payload domains spreading this version of the ransomware:
Notice! The above list with domains is for purely informational purposes and it is strongly advised against the opening of any of them, because they will download the virus onto your computer.
Refrain from opening any file from the Internet directly. You should always perform a scan with a security application first. You can read the tips for ransomware prevention in our forum to inform yourself more about the prevention tactics you can use and some methods to fight back ransomware threats.
.Asasin File Virus – Technical Information
The .Asasin File Virus is the newest Locky ransomware variant. The extension .Asasin is placed to all encrypted files. This version of the notorious cryptovirus has been spreading through the Necurs Botnet.
The Locky ransomware also makes entries in the Windows Registry to achieve a higher level of persistence. Registry entries of that caliber are typically designed to start the virus automatically with every launch of the Windows Operating System or even repress and tamper with processes.
The message with the ransom payment instructions appears to have only minor changes, leaving the core of the ransom message intact for the most part and is stored inside two files called “asasin”. Those files are with a .bmp and a .htm extensions. You can preview the image that replaces your Desktop background from down below:
The ransom message reads the following:
!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/downIoad/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: g46mbrrzpfszonuk.onion
4. Follow the instructions on the site.
!!! Your personal identification ID: !!!
You can preview the .htm version of that note in the picture down here:
Here is how the TOR payment page looks like:
Here is what it says on the TOR payment page:
We present a special software – Locky Decryptor™ –
which allows to decrypt and return control to all your encrypted files.
How to buy Locky Decryptor™?
You can make a payment with BitCoins, there are many methods to get them.
You should register BitCoin wallet:
Simplest online wallet or Some other methods of creating wallet
Purchasing Bitcoins, although it’s not yet easy to buy bitcoins, it’s getting simpler every day.
Here are our recommendations:
localbitcoins.com (WU) Buy Bitcoins with Western Union.
coincafe.com Recommended for fast, simple service.
Payment Methods: Western Union, Bank of America, Cash by FedEx, Moneygram, Money Order. In NYC: Bitcoin ATM, in person.
localbitcoins.com Service allows you to search for people in your community willing to sell bitcoins to you directly.
cex.io Buy Bitcoins with VISA/MASTERCARD or wire transfer.
btcdirect.eu The best for Europe.
bitquick.co Buy Bitcoins instantly for cash.
howtobuybitcoins.info An international directory of bitcoin exchanges.
cashintocoins.com Bitcoin for cash.
coinjar.com CoinJar allows direct bitcoin purchases on their site.
Send 0.25 BTC to Bitcoin address:
Note: Payment pending up to 30 mins or more for transaction confirmation, please be patient…
Date Amount BTC Transaction ID Confirmations
Refresh the page and download decryptor.
When Bitcoin transactions will receive one confirmation, you will be redirected to the page for downloading the decryptor.
The TOR payment page shows above reveals that the .Asasin file virus demands 0.25 Bitcoin as payment, which equals to 1.200 US dollars at the moment of writing. However, you should NOT under any circumstances pay anything to these cybercriminals. Nobody can guarantee that you will recover your data upon paying, or that you won’t get your files infected again in the near future. Adding to that, giving money to cybercriminals could be interpreted as supporting them financially, and could also motivate them to keep creating more ransomware viruses. Apparently, the latter is true as new variants of Locky ransomware keep showing up.
.Asasin File Virus – Encryption Process
The .Asasin File Virus appends the .Asasin extension to all encrypted files. As malware researchers have confirmed that it is indeed a new variant of the Locky Ransomware, it is most likely seeking to encrypt files with extensions such as its previous versions:
→.001, .002, .003, .004, .005, .006, .007, .008, .009, .010, .011, .123, .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .602, .7z, .7zip, .ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aac, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .aes, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .asc, .asf, .asm, .asp, .aspx, .asset, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .brd, .bsa, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cgm, .cib, .class, .cls, .cmd, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csr, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db3, .db_journal, .dbf, .dbx, .dc2, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .dif, .dip, .dit, .djv, .djvu, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flf, .flv, .flvv, .forge, .fpx, .frm, .fxg, .gif, .gpg, .gray, .grey, .groups, .gry, .gz, .hbk, .hdd, .hpp, .html, .hwp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lay, .lay6, .lbf, .ldf, .lit, .litemod, .litesql, .log, .ltx, .lua, .m2ts, .m3u, .m4a, .m4p, .m4u, .m4v, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mml, .mmw, .mny, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .ms11, .msg, .myd, .n64, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .r3d, .raf, .rar, .rat, .raw, .rb, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sch, .sd0, .sda, .sdf, .sh, .sldm, .sldx, .slk, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tex, .tga, .tgz, .thm, .tif, .tiff, .tlg, .txt, .uop, .uot, .upk, .vb, .vbox, .vbs, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .wab, .wad, .wallet, .wav, .wb2, .wk1, .wks, .wma, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlc, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip
The encryption algorithm that is claimed to be used by Locky in all of its ransom notes is RSA-2048 with AES 128-bit ciphers. A file will be renamed and receive the new extension and its name will be something like 42W8TZ2K-98PW-YG37-U2F2DS8V-KOA3A226UIX1.asasin. The length will always be the same, due to how the cryptovirus has been coded.
The Locky cryptovirus has a high probability to delete the Shadow Volume Copies from the Windows Operating System by executing the following command:
→vssadmin.exe delete shadows /all /Quiet
That command eliminates one of the proper ways for restoring your computer system along with its files to a previous state. If the command is run, the encryption process of the virus will become quite more effective.
Remove .Asasin File Virus and Restore Your Files
If your computer got infected with the .Asasin File Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computer systems. You should remove the ransomware and follow the step-by-step instructions guide provided below.
Manually delete .Asasin File Virus from your computer
Note! Substantial notification about the .Asasin File Virus threat: Manual removal of .Asasin File Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.