CommonRansom Virus – How to Remove It (+Restore Files)

CommonRansom Virus – How to Remove It (+Restore Files)

This article will aid you remove CommonRansom virus effectively. Follow the removal instructions at the end.

The CommonRansom virus is a newly discovered ransomware threat that does not belong to any of the known malware families. The identity of the operators behind the recent attacks are not known. Depending on its configuration active infections can also lead to the installation of other threats — viruses, ransomware, miners and Trojans. Our guide explains how computer users can spot the infections and attempt to remove them.

Threat Summary

NameCommonRansom virus
Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension .CommonRansom to them after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CommonRansom virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CommonRansom virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CommonRansom virus – Distribution

The CommonRansom virus is a newly discovered threat which has been found to compromise machines around the world. At this time the origins of the threat are not known, it is speculated that this threat may be originating from a custom virus service advertised on the underground hacker forums. The other possible theory behind its creation and distribution is that it is the work of the operators behind the distribution.

As the attacks are still limited in number the security reports do not indicate which is the primary distribution method. As a consequence the criminals can use the most popular tactics.

One of the main ones is the use of email SPAM campaigns which can be designed as being sent by companies or services that the users may use. This si done by taking the legitimate design elements and content and copying them in the emails. They can directly distribute the viruses as file attachments or linking them in the body contents. Alongside emails the criminals can also set up download sites that are copies of vendor download pages and well-known Internet portals. These two methods are also used to spread another form of the CommonRansom virus, namely its inclusion in infected payloads. Two of the most common types are the following:

  • Infected Documents — They can be of all popular types and contain dangerous macros that will lead to the virus delivery. When they are opened by the victims a prompt will appear asking them to enable the built-in scripts. They will automatically deploy the threat.
  • Infected Applications — The criminals can also embed the virus scripts in malicious setup files — they are often made by taking the real installers from the official sites and modifying them. Once the relevant software is installed or the file is merely started the virus will automatically be deployed.

All of these files can also be uploaded via file sharing networks such as BitTorrent. The reason why this is a popular method for spreading both legal and illegal files.

In certain cases the CommonRansom virus can be spread via malicious browser plugins whic hare also known as hijackers. They are made compatible with the most popular browsers and are uploaded to their respective extension repositories. When installed they will modify the default settings and install the virus.

CommonRansom virus – Information

The CommonRansom virus has not undergone an extensive virus analysis yet however we presume that a modular framework is used by its engine. This would allow the operators to further develop and update the malware.

We presume that it will copy the behavior patterns of other successful threats and by doing so the first actions done by the infection engine would be to harvest sensitive data from the compromised machines. This can lead to the retrieval both of anonymous metrics that are used to generate the unique infection ID and personal data. If configured so this module can capture information such as the victim’s name, interests, address and even stored passwords.

All of the acquired information can then be used to bypass discovered security software — anti-virus software, sandbox environments and virtual machine hosts.

Other tactics employed by the CommonRansom virus can include the modification of the operating system. This is done after the security bypass as at this point the malware will have obtained complete control. A common action is the setup of the virus as a persistent threat — this will automatically start the engine once the computer boots. This can cause certain system processes and third-party applications not to start or at all. Another consequence would be the manipulation of entries that are used by Windows and the user-installed applications. This can cause serious performance issues when using the computer and the inability to start certain functions.

If configured so the CommonRansom virus can also delete sensitive data: System Restore Points or Shadow Volume Copies.

A serious consequence of having an active CommonRansom virus infection is the fact that it can lead to additional payload delivery. The criminals can include the ability to install a Trojan infection. This is done by deploying a client that establishes a secure and constant connection to a hacker-controlled server. Through it the hacker controllers will be able to overtake control of the systems.

CommonRansom virus – Encryption Process

The CommonRansom virus follows the classic ransomware behavior pattern of targeting sensitive user data with a strong cipher. This is done so according to a built-in list of target file type extensions. An example one can be run against the following data:

  • Archives
  • Backups
  • Databases
  • Images
  • Videos
  • Music

As a result the affected files will be renamed with the .CommonRansom extension. Preceding the final extension the email displayed in the ransomware note. It itself is created in a file called DECRYPTING.txt and reads the following message:

Hello dear friend,
Your files were encrypted!
You have only 12 hours to decrypt it
In case of no answer our team will delete your decryption password
Write back to our e-mail: [email protected]
In your message you have to write:
1. This ID-345678901234567
2. [IP_ADDRESS]:PORT(rdp) of infected machine
3. Username:Password with admin rights
4. Time when you have paid 0.1 btc to this bitcoin wallet:
After payment our team will decrypt your files immediatly
Free decryption as guarantee:
1. File must be less than 10MB
2. Only .txt or .lnk files, no databases
3. Only 5 files
How to obtain bitcoin:
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:

Remove CommonRansom Ransomware and Restore .CommonRansom Files

If your computer got infected with the CommonRansom Ransomware ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share