Encryptor RaaS is a devastating trojan horse that causes quite the headaches. Symantec researchers have reported a new wave of encryptor RaaS hitting users on a global scale. This particular ransomware is detected to slip into the user system, modify user settings after which scan user files and encrypt them. The trojan can support many file extensions and encrypt as many files as possible and it even may encrypt files in external drives, such as USB, memory card or even external HDD or SSD drives.
|Short Description||The trojan encrypts user files asking ransom money for their decryption|
|Symptoms||Users may witness different files of their computer becoming corrupt all of a sudden plus the ransom message text file and their browser may open with additional instructions.|
|Distribution Method||Via malicious mail attachments, malicious URLs|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Encryptor RaaS|
|User Experience||Join our forum to discuss about Encryptor RaaS Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Encryptor RaaS Ransomware – How Did I Get It?
One way you may have gotten this nasty virus infection is by simply opening a malicious mail attachment. There are many spammers who distribute malware like Encryptor RaaS via spam messages that may resemble something important. Examples may be email from Microsoft, eBay or any other reputable services. The mail may contain a legitimate attachment such as .docx, .pdf and others. However, it may also have a second attachment which may be a malicious .exe, .bat, .dll or .tmp file. In some situations even the documents may be infected. For example, there have been cases with infected Microsoft Word .docx macros.
Encryptor RaaS – More about It
Symantec engineers report that once this ransomware has been activated on your computer it creates a read me file, going by the name “readme_liesmich_encryptor_raas.txt” in the %SystemDrive% directory. After it has done that it creates a registry entry in the Run key with a value for the %SystemDrive% folder itself:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|||RANDOM CHARACTERS|||=”%SystemDrive% /SkipReg”
After doing so the trojan directly begins to encrypt files containing the following file extensions.
→.doc .docm .docx .txt .jpg .xls .xlsx .zip .7z .flac .aup .ogg .rat .tiff .lzma .mp4 .torrent .gz .m4v .cpp .h .ova .avi .bak .data .rtf .ico .img .php .php3 .php5 .dmg .mp3 .mp4 .iso .wav .mpeg .mpg .jar .webm .java .sln .msg .jpeg .png .pdf .bmp
After doing so the trojan opens up the previously created “readme_liesmich_encryptor_raas.txt” file. It contains the following message:
The files on your computer have been securely encrypted by Encryptor RaaS.
To get access to your files again, follow the instructions at:
|||Random web link|||
Die Datelen auf ihrem computer wurden von Encryptor RaaS sichen verschluesselt. Um den Zugriff auf ihre Datelen wiederzuerlangen. Folgen Sie die Anleitung auf:
|||Random web link|||”
The ransomware also opens up a page in the web browser with additional demands to decrypt the victim’s files.
More about it, the RaaS stands for Ransomware as a service and it is offered by cyber-criminals to third-parties. The ransomware uses onion networking (Tor) in its web links in order to remain anonymous since such networking is very random and effective. Tor networking uses encrypted connection because the packets travel via a random network of onion networking`s computers in encrypted encapsulation which is decrypted in the exit node, i.e the last Tor computer it exits from. The randomness of the signal passing through makes Tor networking the perfect choice for cyber criminals who use RaaS.
ESG security researchers report that unlike its predecessor Tox, this operation is particularly less sophisticated and very effective because of that. What is unique about it is that Encryptor RaaS contains Java associated references to DLL files with makes it partly Java-based – something new for ransomware.
The ransomware features prompts to pay in BitCoin and what is more it may encrypt files differently based on their file formats. The good news is that the ransomware may use several different algorhitms and may not encrypt an entire file, but only the first portion of the file`s code which is a hope for any affected users out there.
Removing Encryptor RaaS Completely
In order to remove this nasty infection from your computer, you need to be very cautious. Before conducting any removals, make sure that you have all your necessary encrypted files backed up somewhere else. After this is done, you should follow these instructions and install an advanced anti-malware tool to remove all associated files with this cyber-threat:
Decrypting Encrytor RaaS Files
The decryption process may be very lengthy and it may not even work. But do not worry because you may succeed after all. Many users have successfully decrypted their files because they have just tried decrypting different files, not just one. Once one key is discovered there is a significant chance that other files can be decrypted using the very same key with a specific tool.
Here are instructions for trying to decrypt files encrypted via the RSA encryption algorhitm:
And here is more info about trying to decrypt RSA algorithm via Ubuntu (tech savvy users).
Also, here is a web link to kaspersky decryption tools since the trojan may use different algorithms: