.Asasin File Virus (Locky) - Remove and Restore Files (Update November)
THREAT REMOVAL

.Asasin File Virus (Locky) – Remove It and Restore Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by .Asasin File Virus and other threats.
Threats such as .Asasin File Virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

The article will aid you remove the .Asasin File Virus in full. Follow the ransomware removal instructions given at the end of this article.

.Asasin File Virus is Locky’s latest ransomware iteration which appends the .Asasin extension to all encrypted files. Your computer system can become infected resulting from you opening an email attachment that contains a malicious link which loads automatically upon opening the attached file. Apparently, the changes in this version of the virus are in its email invoice messages, payload domains and variations in the payment price. Continue to read and check if you can potentially restore your files below.

Threat Summary

Name.Asasin File Virus
TypeRansomware, Cryptovirus
Short DescriptionThe .Asasin file virus is the latest spreading variant of Locky ransomware. The cryptovirus has minor changes in its email invoices and payload domains and payment price.
SymptomsYour files get encrypted and receive the .asasin extension appended to their names. You see a ransom note with instructions which states that the encryption which is used is both AES and RSA.
Distribution MethodPhishing Email Campaigns with File Attachments, Malicious Domains
Detection Tool See If Your System Has Been Affected by .Asasin File Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Asasin File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Asasin File Virus – Update November 2017

The .Asasin Locky Version has updated its domains that spread the payload these last couple of days. From November the newest domains are going to redirect you until eventually you land on the final payload page “ http://hobbystube(.)net/dkjshfg643” and execute the malware QTLoader which delivers Locky. Below, inside the accordion, you can preview the latest distribution domains for the cryptovirus:

List with some of the payload download sites

All of the above domains and links, lead to Locky (.asasin).

Notice! The above list with domains is for purely informational purposes and it is strongly advised against the opening of any of them, because they will download the virus onto your computer.

.Asasin File Virus – Distribution Techniques

The main variant of the .Asasin File Virus propagates itself via e-mail spam campaigns. The e-mail has a subject that reads “Document invoice_21637_sign_and_return.pdf is complete”. Inside there is a .7z or a .7zip attached file which is not properly added to the email and seen as a base64 code, so most people would see it as a text and won’t even know that it is an attachment. If the malware authors fix it, you will be able to see and open it, thus loading a VBS script in that way. The script will download the virus payload from a malicious domain. Your computer machine gets infected in a matter of seconds, getting your files encrypted. The text of the e-mail message should be the following if it loads correctly:

Hello,
This document has been signed and is now complete.

In the near future you can expect similar e-mails to appear.

Below you can see the new payload domains spreading this version of the ransomware:

List with some of the payload download sites

Notice! The above list with domains is for purely informational purposes and it is strongly advised against the opening of any of them, because they will download the virus onto your computer.

Refrain from opening any file from the Internet directly. You should always perform a scan with a security application first. You can read the tips for ransomware prevention in our forum to inform yourself more about the prevention tactics you can use and some methods to fight back ransomware threats.

.Asasin File Virus – Technical Information

The .Asasin File Virus is the newest Locky ransomware variant. The extension .Asasin is placed to all encrypted files. This version of the notorious cryptovirus has been spreading through the Necurs Botnet.

The Locky ransomware also makes entries in the Windows Registry to achieve a higher level of persistence. Registry entries of that caliber are typically designed to start the virus automatically with every launch of the Windows Operating System or even repress and tamper with processes.

The message with the ransom payment instructions appears to have only minor changes, leaving the core of the ransom message intact for the most part and is stored inside two files called “asasin”. Those files are with a .bmp and a .htm extensions. You can preview the image that replaces your Desktop background from down below:

The ransom message reads the following:

!!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.

More information about the RSA and AES can be found here:
http://en.wildpedia.org/wiki/RSA_(cryptosystem)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.

To receive your private key follow one of the links:

If all of this addresses are not available, follow these steps:

1. Download and install Tor Browser: https://www.torproject.org/downIoad/download-easy.html
2. After a successful installation, run the browser and wait for initialization.

3. Type in the address bar: g46mbrrzpfszonuk.onion

4. Follow the instructions on the site.

!!! Your personal identification ID: !!!

You can preview the .htm version of that note in the picture down here:

Here is how the TOR payment page looks like:

Here is what it says on the TOR payment page:

Languages: English

Locky Decryptor™

We present a special software – Locky Decryptor™ –
which allows to decrypt and return control to all your encrypted files.

How to buy Locky Decryptor™?
You can make a payment with BitCoins, there are many methods to get them.

You should register BitCoin wallet:

Simplest online wallet or Some other methods of creating wallet

Purchasing Bitcoins, although it’s not yet easy to buy bitcoins, it’s getting simpler every day.

Here are our recommendations:

localbitcoins.com (WU) Buy Bitcoins with Western Union.
coincafe.com Recommended for fast, simple service.
Payment Methods: Western Union, Bank of America, Cash by FedEx, Moneygram, Money Order. In NYC: Bitcoin ATM, in person.
localbitcoins.com Service allows you to search for people in your community willing to sell bitcoins to you directly.
cex.io Buy Bitcoins with VISA/MASTERCARD or wire transfer.
btcdirect.eu The best for Europe.
bitquick.co Buy Bitcoins instantly for cash.
howtobuybitcoins.info An international directory of bitcoin exchanges.
cashintocoins.com Bitcoin for cash.
coinjar.com CoinJar allows direct bitcoin purchases on their site.
anxpro.com
bittylicious.com

Send 0.25 BTC to Bitcoin address:

Note: Payment pending up to 30 mins or more for transaction confirmation, please be patient…

Date Amount BTC Transaction ID Confirmations
not found

Refresh the page and download decryptor.

When Bitcoin transactions will receive one confirmation, you will be redirected to the page for downloading the decryptor.

The TOR payment page shows above reveals that the .Asasin file virus demands 0.25 Bitcoin as payment, which equals to 1.200 US dollars at the moment of writing. However, you should NOT under any circumstances pay anything to these cybercriminals. Nobody can guarantee that you will recover your data upon paying, or that you won’t get your files infected again in the near future. Adding to that, giving money to cybercriminals could be interpreted as supporting them financially, and could also motivate them to keep creating more ransomware viruses. Apparently, the latter is true as new variants of Locky ransomware keep showing up.

.Asasin File Virus – Encryption Process

The .Asasin File Virus appends the .Asasin extension to all encrypted files. As malware researchers have confirmed that it is indeed a new variant of the Locky Ransomware, it is most likely seeking to encrypt files with extensions such as its previous versions:

→.001, .002, .003, .004, .005, .006, .007, .008, .009, .010, .011, .123, .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .602, .7z, .7zip, .ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aac, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .aes, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .asc, .asf, .asm, .asp, .aspx, .asset, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .brd, .bsa, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cgm, .cib, .class, .cls, .cmd, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csr, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db3, .db_journal, .dbf, .dbx, .dc2, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .dif, .dip, .dit, .djv, .djvu, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flf, .flv, .flvv, .forge, .fpx, .frm, .fxg, .gif, .gpg, .gray, .grey, .groups, .gry, .gz, .hbk, .hdd, .hpp, .html, .hwp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lay, .lay6, .lbf, .ldf, .lit, .litemod, .litesql, .log, .ltx, .lua, .m2ts, .m3u, .m4a, .m4p, .m4u, .m4v, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mml, .mmw, .mny, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .ms11, .msg, .myd, .n64, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .r3d, .raf, .rar, .rat, .raw, .rb, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sch, .sd0, .sda, .sdf, .sh, .sldm, .sldx, .slk, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tex, .tga, .tgz, .thm, .tif, .tiff, .tlg, .txt, .uop, .uot, .upk, .vb, .vbox, .vbs, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .wab, .wad, .wallet, .wav, .wb2, .wk1, .wks, .wma, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlc, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip

The encryption algorithm that is claimed to be used by Locky in all of its ransom notes is RSA-2048 with AES 128-bit ciphers. A file will be renamed and receive the new extension and its name will be something like 42W8TZ2K-98PW-YG37-U2F2DS8V-KOA3A226UIX1.asasin. The length will always be the same, due to how the cryptovirus has been coded.

The Locky cryptovirus has a high probability to delete the Shadow Volume Copies from the Windows Operating System by executing the following command:

→vssadmin.exe delete shadows /all /Quiet

That command eliminates one of the proper ways for restoring your computer system along with its files to a previous state. If the command is run, the encryption process of the virus will become quite more effective.

Remove .Asasin File Virus and Restore Your Files

If your computer got infected with the .Asasin File Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computer systems. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Note! Your computer system may be affected by .Asasin File Virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as .Asasin File Virus.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove .Asasin File Virus follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove .Asasin File Virus files and objects
2. Find files created by .Asasin File Virus on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by .Asasin File Virus

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...