EnCiPhErEd Ransomware – Remove It and Decrypt Encrypted Files for Free - How to, Technology and PC Security Forum | SensorsTechForum.com

EnCiPhErEd Ransomware – Remove It and Decrypt Encrypted Files for Free

shutterstock-malwareA new variant of old ransomware, EnCiPhErEd is a part of the Xorist crypto family. The virus encrypts files on compromised systems leaving its name as a file extension to the encoded files. The ransomware has also been reported by malware researchers to be sold online on deep web black markets. Since ransomware from the Xorist family has been hacked a while ago, we advise users to follow the tutorial in this article to remove it and decrypt their files instead of paying the ransom money to the cyber-criminals.

Threat Summary

NameEnCiPhErEd(Xorist)
TypeRansomware
Short DescriptionThe ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by EnCiPhErEd(Xorist)

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss EnCiPhErEd Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

EnCiPhErEd Ransomware – Infection Process

To infect users, this ransomware may spread via several different ways:

  • Via infected USB drives or other external drives.
  • Through malicious URLs that cause drive-by-downloads or the execution of .js(JavaScript) files.
  • Via malicious executables, like Windows activators, game key generators, and others, pretending to be virus-free applications.

Since the ransomware is sold in Russian forums, users on those forums have reported that the ransomware may be spread via activators for Microsoft products, such as fake KMS Activator.

EnCiPhErEd Ransomware In Detail

Once activated on your computer, EnCiPhErEd Ransomware may place different files of the following file types:

→ .js, .exe, .dll, .tmp, .vbs, .bat, .cmd .reg

The files may be located in one of the following folders:

  • %AppData%
  • %Local%
  • %Roaming%
  • %System%
  • %{User’s Profile}%
  • %Temp%

Those files may be obfuscated so that they avoid detection by antivirus software. As soon as they are executed, EnCiPhErEd may immediately begin to encrypt your files. It may look for files of the following file extensions:

→ .DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG .PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML .CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG .INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCDSource:fileinfo.com

After it encrypts the files, the ransomware adds the EnCiPhErEd extensions to the files, for example:

→New Text Document.txt.EnCiPhErEd

The ransomware may add a ransom message similar to the following:

→ “Attention! All your files are encrypted!
To restore your files and access them,
please send Bitcoin to address
23d9h320hd23d2389g32fh23z3208
and email to {cyber-criminals’ email} proof
(screen or smth) of your payment.
After receiving funds, I will send you
your password and decrypt instruction via email.
You have several attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
Be careful when you enter the code!”Source:BleepingComputer

Another ransom message seen in Xorist variants is the following:

Xorist-Ransomware-ransom-note-sensorstechforum

This is just an example message; however, users also report being asked to send SMS messages that charge them the ransom amount. This is very convenient and untraceable method of quick money making, and this is why some cyber-criminals may prefer it.

Remove EnCiPhErEd Ransomware and Decrypt the Encoded Files

To remove this ransomware, we advise users to immediately download and use an advanced anti-malware software to scan automatically for the threat. However, there is also the manual removal possibility of finding the registry entries and the files created by the ransomware, for which we have prepared instructions for you below.

To decrypt your files, please check step “3. Decrypt Files Encrypted by EnCiPhErEd Ransomware”.

Manually delete EnCiPhErEd(Xorist) from your computer

Note! Substantial notification about the EnCiPhErEd(Xorist) threat: Manual removal of EnCiPhErEd(Xorist) requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove EnCiPhErEd(Xorist) files and objects
2.Find malicious files created by EnCiPhErEd(Xorist) on your PC
3.Fix registry entries created by EnCiPhErEd(Xorist) on your PC

Automatically remove EnCiPhErEd(Xorist) by downloading an advanced anti-malware program

1. Remove EnCiPhErEd(Xorist) with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by EnCiPhErEd(Xorist) in the future
3. Decrypt files encrypted by EnCiPhErEd(Xorist)
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.