A virus has been spotted by malware researchers to attack a the information terminals at a public conference. The ransomware infection locks the screens of the infected computers and sets the doge image you see on the top-right. This type of virus is decryptable, but raises a few very important questions about cyber-security in public buildings which many companies and organizations need to respond to with the proper counter-measures. Since the virus is also spread all over the world, we will give you a brief explanation and decryption instructions in case your system has been compromised by it, so we suggest you to read this article carefully.
More Information on “Such Security” Ransomware
The virus is based on something that many in the cyber-security know as the HiddenTear project. This project is an open source ransomware type of project where the code is available online for free. All it takes is the necessary coding skills to compile this source code in to a functioning ransomware program and release it via infection malware that will execute it undetected, like an Exploit Kit, for example. This was the event of Such Security ransomware. Regarding how the virus infected the machines in the public building is so far unknown, but the hackers may have caused an infection either via physical access or via other malicious software executed remotely.
What Other Methods of Infection Does Such Security Ransomware Use?
There are multiple other types of infection means which this virus may use. One of them is if it utilizes malicious e-mail spam messages. Such messages are usually deceitful and may trick the user into opening a malicious attachment in the e-mail or clicking on a malicious web link. The same goes with other fake files uploaded on torrent websites that are masked as legitimate installers of different programs.
What Happens When Such Security Infects My Computer?
After this virus has already caused an infection it drops the following files:
- A randomly named executable type of file.
- An executable named eda2.exe
- A test file.
- A photo with the doge meme.
It also connects to the remote host 192.168.59.130 and a Imgur photo of the Doge meme with the following web link: i.imgur.com/67zIv4T.jpg.
What Happens When Such Security Ransomware Encrypts My Files?
Such Security ransomware attacks only specific files to encrypt them, like most EDA2 variants do.
When the files are encrypted they become no longer openable and the .locked file extension Is added to those files.
How Do I Decrypt Files Encrypted By Such Security Ransomware?
The file-decryption process of HiddenTear ransomware is not as difficult, but you need to be prepared and do it from a safe computer that is powerful. Let’s begin!
Step 1: Download the HiddenTear BruteForcer by clicking on the button below and open the archive:
Step 2: Extract the program onto your Desktop or wherever you feel comfortable to easily access it and open it as an administrator:
Step 3: After opening it, you should see the main interface of the brute force. From there, choose “Browser Sample” to select a sample encrypted file of the type of ransomware you are trying to decrypt:
Step 4: After this select the type of ransomware from the down-left expanding menu:
Step 5: Click on the Start Bruteforce button. This may take some time. After the brute forcing is finished and the key is found, copy it and save it somewhere on your PC in a .txt file, you will need it later.
Step 6: Download the HiddenTear Such Security Decryptor from the download button below:
Step 7: Extract it and open it, the same way with HiddenTear Bruteforcer. From it’s primary interface, paste the key copied from the BruteForcer, write the type of extension being used by the ransomware and click on the Decrypt button as shown below:
After these steps have been completed, you should immediately copy your files to an external device so that they are safe. After this has been done, we strongly recommend completely wiping your drives and reinstalling Windows on the affected machine.
After this has happened, consider yourself lucky that this virus is decryptable. There are many other ransomware infections out there that infect victims and even if they pay the ransom, their files are still in the same state, because of a broken decryptor or unwillingness on behalf of the crooks to decrypt the files. This is why we advise you to read the following article and increase your protection against ransomware infections: