.EnCrYpTeD File Virus (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.EnCrYpTeD File Virus (Restore Files)

This article is created to help you remove the .EnCrYpTeD file extension ransomware from your computer and try to recover encoded files.

A ransomware virus, that uses the .EnCrYpTeD file extension and is coded in Python language has been reported to infect computers and encrypt their data. The encrypted files are no longer able to be opened and this crypto-virus uses a “READ_ME_TO_DECRYPT.txt” ransom note to make sure the user knows the demands of the cyber-criminals, which are to pay the sum of 1 BTC to a bitcoin wallet in order to get the encrypted files decrypted. In case you have become an unfortunate victim of the .EnCrYpTeD ransomware, we recommend reading the following material thoroughly.

Threat Summary

Name

.EnCrYpTeD

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user witnesses a changed wallpaper with a message to open the ransom instructions where he or she is asked to pay a hefty ransom fee to get the data back.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by .EnCrYpTeD

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss .EnCrYpTeD.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.EnCrYpTeD File Virus – How Does It Infect

In order to cause an infection on a certain machine, the .EnCrYpTeD file virus might use malicious e-mail attachments that are usually sent out via several different e-mail accounts that are not blocked as spam.

The messages accompanying those e-mail attachments usually have deceptive messages that trick the user he or she may have purchased something or there is suspicious activity on his bank account. The attachment usually pretends to be an Invoice or another important document. However, it is the file from which the infection process is trigger, after it is opened.

.EnCrYpTeD File Virus – Further Analysis

Once an infection is triggered, the .EnCrYpTeD ransomware may drop multiple files on the compromised computer of the user. The virus also uses multiple different techniques to conceal the files from any protection software. The payload of the .EnCrYpTeD ransomware may be located in multiple different Windows directories:

After the payload is dropped, the .EnCrYpTeD Ransomware may perform multiple different activities, such as modify the Windows Registry editor, more specifically the Run and RunOnce sub-keys in it. This is done with the purpose of adding the setting to run the malicious executable of the .EnCrYpTeD virus, which is detected as ransomware.exe at virustotal:

As soon as the virus is activated, it begins to immediately encrypt important files on the compromised computers by it. There files are reported to be documents, pictures, image data files, files associated with often used programs and other data.

After the encryption process of this virus is complete, it renders the files no longer able to be opened. This is achievable by most likely using AES (Advanced Encryption Standard) algorithm. The bad news Is that the files encrypted by this ransomware infection also have changed names, besides the .EnCrYpTeD file extension added to them. They may look like the following:

In addition to this, the ransomware changes the wallpaper to a black image with a red text, which asks to open the ransom note file:

“Attention!
Your files have been encrypted!!!
Follow instructions in READ_ME_TO_DECRYPT.txt to recover your data”

The ransom note is named READ_ME_TO_DECRYPT.txt and has the following message to the victims of the virus:

“Your files have been locked with AES strong encryption.
How to decrypt your files:
1. Send one bitcoin to: {crooks address}
2. After sending bitcoin, send email to [email protected]l.com containing the following code:
{custom code}
3. After receiving bitcoin and required code, you will be given your decrypt password.
4. Find to_decrypt.py, double-click, enter the password. Decryption requires Python installed.
You have 72 hours to comply or your decrypt password will be permanently destroyed!
GOOD LUCK!!”

In any event, paying the ransom of the .EnCrYpTeD virus is highly inadvisable. Instead, it is recommended to remove this ransomware completely.

Remove .EnCrYpTeD File Virus and Try Getting the Files Back

For the removal of the .EnCrYpTeD ransomware, malware researchers recommend taking advantage of the removal instructions below. They are created to help you remove this ransomware methodologically. However, If manual removal is difficult for you, advices are to focus on performing the removal automatically by downloading an advanced anti-malware program which will make sure the removal is permanent and complete.

After having removed this ransomware from your computer, recommendations are to focus on trying to restore the files that have been encoded by this virus. One way is to try and use the alternative file recovery tools that we have suggested back in step “2. Restore files encrypted by .EnCrYpTeD Virus”. They are not a full guarantee you will get your data back, but you may get at least some of the data back by following them.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.