Encryptor RaaS is a devastating trojan horse that causes quite the headaches. Symantec researchers have reported a new wave of encryptor RaaS hitting users on a global scale. This particular ransomware is detected to slip into the user system, modify user settings after which scan user files and encrypt them. The trojan can support many file extensions and encrypt as many files as possible and it even may encrypt files in external drives, such as USB, memory card or even external HDD or SSD drives.
| Name | Encryptor RaaS |
| Type | Ransomware Trojan |
| Short Description | The trojan encrypts user files asking ransom money for their decryption |
| Symptoms | Users may witness different files of their computer becoming corrupt all of a sudden plus the ransom message text file and their browser may open with additional instructions. |
| Distribution Method | Via malicious mail attachments, malicious URLs |
| Detection Tool | Download Malware Removal Tool, to See If Your System Has Been Affected by Encryptor RaaS |
| User Experience | Join our forum to discuss about Encryptor RaaS Ransomware. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
Encryptor RaaS Ransomware – How Did I Get It?
One way you may have gotten this nasty virus infection is by simply opening a malicious mail attachment. There are many spammers who distribute malware like Encryptor RaaS via spam messages that may resemble something important. Examples may be email from Microsoft, eBay or any other reputable services. The mail may contain a legitimate attachment such as .docx, .pdf and others. However, it may also have a second attachment which may be a malicious .exe, .bat, .dll or .tmp file. In some situations even the documents may be infected. For example, there have been cases with infected Microsoft Word .docx macros.
Encryptor RaaS – More about It
Symantec engineers report that once this ransomware has been activated on your computer it creates a read me file, going by the name “readme_liesmich_encryptor_raas.txt” in the %SystemDrive% directory. After it has done that it creates a registry entry in the Run key with a value for the %SystemDrive% folder itself:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|||RANDOM CHARACTERS|||=”%SystemDrive% /SkipReg”
After doing so the trojan directly begins to encrypt files containing the following file extensions.
→.doc .docm .docx .txt .jpg .xls .xlsx .zip .7z .flac .aup .ogg .rat .tiff .lzma .mp4 .torrent .gz .m4v .cpp .h .ova .avi .bak .data .rtf .ico .img .php .php3 .php5 .dmg .mp3 .mp4 .iso .wav .mpeg .mpg .jar .webm .java .sln .msg .jpeg .png .pdf .bmp
After doing so the trojan opens up the previously created “readme_liesmich_encryptor_raas.txt” file. It contains the following message:
→“ATTENTION!
The files on your computer have been securely encrypted by Encryptor RaaS.
To get access to your files again, follow the instructions at:
|||Random web link|||
ACHTUNG!
Die Datelen auf ihrem computer wurden von Encryptor RaaS sichen verschluesselt. Um den Zugriff auf ihre Datelen wiederzuerlangen. Folgen Sie die Anleitung auf:
|||Random web link|||”
The ransomware also opens up a page in the web browser with additional demands to decrypt the victim’s files.
More about it, the RaaS stands for Ransomware as a service and it is offered by cyber-criminals to third-parties. The ransomware uses onion networking (Tor) in its web links in order to remain anonymous since such networking is very random and effective. Tor networking uses encrypted connection because the packets travel via a random network of onion networking`s computers in encrypted encapsulation which is decrypted in the exit node, i.e the last Tor computer it exits from. The randomness of the signal passing through makes Tor networking the perfect choice for cyber criminals who use RaaS.
ESG security researchers report that unlike its predecessor Tox, this operation is particularly less sophisticated and very effective because of that. What is unique about it is that Encryptor RaaS contains Java associated references to DLL files with makes it partly Java-based – something new for ransomware.
The ransomware features prompts to pay in BitCoin and what is more it may encrypt files differently based on their file formats. The good news is that the ransomware may use several different algorhitms and may not encrypt an entire file, but only the first portion of the file`s code which is a hope for any affected users out there.
Removing Encryptor RaaS Completely
In order to remove this nasty infection from your computer, you need to be very cautious. Before conducting any removals, make sure that you have all your necessary encrypted files backed up somewhere else. After this is done, you should follow these instructions and install an advanced anti-malware tool to remove all associated files with this cyber-threat:
1. For Windows 7,XP and Vista.
2. For Windows 8, 8.1 and 10.
1. Install SpyHunter to scan for and remove Encryptor RaaS.
1. For Windows 7 and earlier
Decrypting Encrytor RaaS Files
The decryption process may be very lengthy and it may not even work. But do not worry because you may succeed after all. Many users have successfully decrypted their files because they have just tried decrypting different files, not just one. Once one key is discovered there is a significant chance that other files can be decrypted using the very same key with a specific tool.
Here are instructions for trying to decrypt files encrypted via the RSA encryption algorhitm:
And here is more info about trying to decrypt RSA algorithm via Ubuntu (tech savvy users).
https://sensorstechforum.com/remove-rsa-2048-encryption-key-from-cryptowall-3-0/
Also, here is a web link to kaspersky decryption tools since the trojan may use different algorithms:
http://support.kaspersky.com/viruses/utility
Hello, I have this problem
has anyone already test a successful way to decrypt the files?
I have a lot of files encrypted and I have a lot of the in original (Back up :))
that should make is easyser to find the key, shouldn’t it? can anyone advice a solution?
Hello, Harhur
Is it possible for you to send 2 encrypted files with 2 original ones and maybe 5 or 10 encrypted files to the following e-mail address:
[email protected]
Make sure you name the subject of the email: “Harhur” so we know it came from you. We will try with several decryption tools on a PC configured for that and let you know eventually what happened and if it is possible or not.
Thanks
hello mr Krutev,
you are great man, I will send them immediatly..
hello,
do you have another email frome some reason my mail is always comming back (can not be deliverd)
Hello again,
I forgot to write that I already tried the Kaspersky tools and they did not work.
the files are encrypted but the end dose not change so .docx or .pdf is still the same but it is not possible to open them (office says the file is damaged)
I will be thankful for any advice I would also send some files (encrypted and original) to anyone who would try to find a solution
I have read that the developer of this malware have del all the keys already and no service is actually available and those whose file is encrypted will be encrypted now Holy shit!
comma récupéré fichier crypte?