Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Beni Oku.txt Turkish Virus – Remove and Restore .encrypted Files

This article will aid you to remove Beni Oku.txt virus effectively. Follow the ransomware removal instructions at the end of the article.

Beni Oku.txt is the name of a ransom note used by a new Turkish ransomware cryptovirus, which is believed to be targeting mainly Turkish users. That does not exclude the possibility of other people becoming victims of the virus and getting their files encrypted. The ransom note looks like the one of CTB-Locker. The Beni Oku.txt virus will encrypt files and add the .encrypted extension to them. Read the article to find out ways in which you could potentially restore some of your files.

Threat Summary

NameBeni Oku.txt Virus
TypeRansomware
Short DescriptionThe ransomware will encrypt all of your important files and show a ransom note in Turkish, giving out details about the ransom payment.
SymptomsThe ransomware will encrypt files with the .encrypted extension appended to every file.
Distribution MethodExploit Kits, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Beni Oku.txt Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Beni Oku.txt Virus.

Beni Oku.txt Virus – Delivery Methods

Beni Oku.txt ransomware might be using targeted attacks to mainly infect users, who speak Turkish, but other delivery methods are not an exclusion. The payload file which initiates the malicious script for this ransomware is being spread around the Internet, and one of the samples was found by the malware researcher Jakub Kroustek, who uploaded it for analysis on the VirusTotal portal. You can preview the detections from the service right down here:

Beni Oku.txt ransomware might also deliver its payload file via social media networks and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the ransomware prevention tips found on the forum section.

Beni Oku.txt Virus – A Closer Look

Beni Oku.txt is actually the name of the ransom note file with instructions that this Turkish ransomware creates. Easily it can be said that it targets mainly Turkish users, because of the usage of that language, alas that does not exclude users who speak other languages. You can preview the contents of that “Beni Oku.txt” file from the picture right here:

The above note states:

1 – Dosyalarınızdaki şifrelemeyi kaldırmak için 13HP68KeuvoqYJhvlf7XQMEox8DPR8odx5 bitcoin adresine 150 USD değerinde bitcoin göndermeniz gerekmektedir.
2 – 150 USD değerinde ‘bitcoin gönderimi yapıldıktan sonra [email protected] adresine Belgelerim klasörünüzün içerisinde bulunan privateKey.XML dosyasını göndermeniz, gerekmekte dosyayı gönderdikten sonra dosyalarınıza uygun şifre çözme anahtarı size gönderilecek ve dosyalarınızdaki şifreleri açacaksınız.
3 – Bitcoin alımlarını https://localbitcoins.com/ üzerinden yada bu tarz emsal sitelerden yapabilirsiniz.
4 – Dosyalarınızdaki şifreleri çözmeye uğraşmanız sadece dosyalarınıza zarar vereceğiniz ve veri kaybına yol açmasına sebep olacaktır.
5 – 24 saat içerisinde şifreleri çözülmeyen dosyalar otomatik olarak harddiskinizden geri gelmeyecek şekilde silinecektir.
6 – Detaylı bilgi için [email protected] adresine mail gönderebilirsiniz.

A rough translation of that in English is the following:

1 – To remove the encryption on your files, you need to send bitcoin to the address of 13HP68KeuvoqYJhvlf7XQMEox8DPR8odx5 bitcoin with a value of 150 USD.

2-150 worth USD ‘after Bitcoin transmission to send the privatekey.xml file located in your My Documents folder to address [email protected], after you send the file to need the appropriate password to your file decryption key will be sent to you and you will open your passwords in your file.

3 – Bitcoin purchases can be done through https://localbitcoins.com/ from these comparable sites.

4 – Trying to resolve the passwords in your files will only cause damage to your files and cause data loss.

Within 5 – 24 hours, unencrypted files will be deleted automatically so that they will not come back from your hard disk.

6 – For more information, you can send an e-mail to [email protected]

The Beni Oku.txt ransomware could make entries in the Windows Registry to achieve persistence, and probably launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system like the example given below:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Another ransom note message is generated, which is inside an image, that looks very similar to those of the CTB-Locker and CTB-Faker ransomware viruses. That message is again written in the Turkish language. You will see that message from the image shown down here:

The original text of the message reads:

DOSYALARINIZ ŞİFRELENDİ
Yerel diskleriniz, ağ konumlarınız, harici depolama birimleriniz 256 bit şifreleme
tekniği ile şifrelenmiştir, bu yöntem ile şifrelenen dosyalar geçerli key “Anahtar”
olmadan açılamazlar Key anahtarına sahip olmak için şifre çözme yazılımını satın
almanız gerekmektedir, yazılım satın alındığında tüm dosyalarınızdaki şifreler
çözülecek ve eski haline gelecektir. Yazılımı 24 saat içerisinde satın almadığınız
taktirde tüm dosyalarınız yerel depolama birimlerinden geri gelmeyecek şekilde
silinecektir. Ayrıntılı bilgi için Belgelerim klasörünüzdeki “Beni Oku.txt”
dosyasına bakabilirsiniz
İletişim Adresi: [email protected]
BTC Adresi : 13HP68KeUVogYJhvlf7XQMEoX8DPR8odx5
Yukarıdaki BTC adresine 150 $ ödeme yapmanız gerekmektedir. Bitcoin
alımlarını www.localbitcoins.com üzerinden yapabilirsiniz
Bilgilendirme : Bilgisayarınızı geri yükleme yapmak hiçbir fayda etmeyecektir
Dosyaları antivirüs ile taratmanız dosyaların bozulmasına yol açacak ve geri
getirilmeyecek şekilde bozulmasına sebep olacaktır

A very rough English translation of that note will be the following:

YOUR FILES ARE ENCRYPTED
Your local disks, network locations, external storage 256-bit encryption
Encrypted with this method, the files encrypted with this method will be valid key “Key”
Purchase decryption software to have Key Key
You need to buy it, the passwords for all of your files when the software is purchased
It will be solved and it will become old. You did not purchase the software within 24 hours
If all your files will not come back from local storage
Will be deleted. For more information, see the “Read me.txt”
You can look at the file
Contact Address: [email protected]
BTC Address: 13HP68KeUVogYJhvlf7XQMEoX8DPR8odx5
You must pay $ 150 to the above BTC address. Bitcoin
You can make purchases through www.localbitcoins.com
Information: Restoring your computer will not help
Files with antivirus will lead to the corruption of your files and back
Will cause it to malfunction

From the ransom note, we can see that Beni Oku.txt actually translates to Read me.txt. The asked ransom price is 150 US dollars, demanded to be paid out in Bitcoins to a certain address. The deadline which is given is 24 hours, before the password becomes obsolete, according to the note. The price amounts to exactly 0.123 Bitcoin at the time of writing of this article.

The e-mail address given as a contact with the crooks is [email protected] However, you should NOT under any circumstance contact these cybercriminals or think of paying them. Your files may not get restored, and nobody could guarantee you that. Moreover, giving money to these criminals will likely motivate them to create more ransomware or do other criminal acts.

Beni Oku.txt Virus – Encryption Process

A partial list with file extensions that the Beni Oku.txt Virus ransomware seeks to encrypt is available, and you can see some of the file extensions will end up getting encrypted right here:

→.bmp, .docx, .ini, .jpg

Other files will get encrypted as well and receive the .encrypted extension. The extension will be appended after the original extension of the files, without overwriting it. The Beni Oku.txt ransomware will lock them using a 256-bit algorithm, at least according to the ransom note.

The following three files are connected with the encryption, and also contain information about the encryption keys:

  • privateKey.xml
  • publicKey.xml
  • [name].manifest.xml

To add to that, there is also a tool called “FileEncryptor” that is associated with the lock process that looks like the following:

The Beni Oku.txt cryptovirus is quite likely to erase all the Shadow Volume Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and find out what types of ways you could try to potentially restore some of your data.

Remove Beni Oku.txt Virus and Restore .encrypted Files

If your computer machine got infected with the Beni Oku.txt ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in your used network. The recommended action for you to remove the ransomware effectively by following the step-by-step instructions guide outlaid down below.

Manually delete Beni Oku.txt Virus from your computer

Note! Substantial notification about the Beni Oku.txt Virus threat: Manual removal of Beni Oku.txt Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Beni Oku.txt Virus files and objects
2. Find malicious files created by Beni Oku.txt Virus on your PC

Automatically remove Beni Oku.txt Virus by downloading an advanced anti-malware program

1. Remove Beni Oku.txt Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Beni Oku.txt Virus
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.