This is an article that provides specific details on Everbe 2.0 ransomware infection as well as a step-by-step removal followed by alternative data recovery approaches.
As spotted by security researchers a new version of Everbe ransomware has been released in active attack campaigns. Everbe 2.0 is a threat that corrupts computer systems in order to encode valuable data and demand a ransom for its decryption. This time cyber criminals set the crypto virus to append a specific string of extensions that begins with their contact email and ends with the extension .divine. So upon encryption the files are renamed with .[firstname.lastname@example.org].divine extensions and access to the information they store is restricted. In addition a ransom note !=How_to_decrypt_files=!.txt attempts to blackmail you into paying for a decryption tool possessed by hackers.
|Short Description||A data locker ransomware that utilizes AES cihper algorithm to encrypt valuable files stored on the infected computer and then demands a ransom for decryption solution.|
|Symptoms||The access to important files is restricted and all they are renamed with .[email@example.com].divine string of extensions. A ransom message urges victims to contact hackers at firstname.lastname@example.org email address.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Everbe 2.0 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Everbe 2.0.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Update November 2018 — New Everbe 2.0 Ransomware Strain Identified
In November 2018 a new attack carrying Everbe 2.0 ransomware samples was identified. It is possible that the hacker or criminal group behind are different than the ones affiliated with the previous attacks. This is possible if the Everbe 2.0 ransomware code is being offered on the underground hacker markets. A popular option is the upload of such threats as a RaaS (ransomware-as-a-service). This means that the criminal developers will offer a subscription-based access to the ransomware code and offer customization options to the buyers. It is very possible that this variant is bought by a different criminal community and used for specific targeted attacks.
It appears that the same behavior pattern is used, no major differences have been reported in the way the virus infects the host computers. At this moment the distribution campaigns are limited in scope which doesn’t show the primary strategy. We anticipate that a wider deployment will use several of the methods used by the main Everbe 2.0 ransomware.
Instead of the previous extension this variant assigns the .[email@example.com].firstname.lastname@example.org suffix to the infected files. Like before the engine will target the most popular user data.
The ransomware note itself is created in a file called Note: !=How_recovery_files=!.html which reads the following contents:
All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.
There is only one way to get your files back: contact with us, pay, and get decryptor software.
We accept Bitcoin, and other cryptocurrencies, you can find exchangers on bestbitcoinexchange.io
You have unique idkey(in a yellow frame), write it in letter when contact with us.
Also you can decrypt 1 file for test, its guarantee what we can decrypt your files.
primary email: email@example.com
reserver email: firstname.lastname@example.org
Everbe 2.0 Ransomware – Distribution
For the distribution of this iteration of Everbe ransomware hackers are likely to utilize common techniques such as malspam, fake updates, various potentially unwanted third-party programs, and corrupted web pages.
Spam email campaigns that may carry the infection code of Everbe 2.0 ransomware are likely to target online users worldwide. Those emails may resemble a lot the ones sent by legitimate institutions and commonly used services. So as their senders may be pointed out representatives of well-known companies like PayPal, DHL, FedEx, and Amazon. Another trait of malicious emails is the presence of file attachments presented as files that contain important information which you should review as soon as possible. The trick here is that these files are set to trigger the ransomware infection code once opened on the computer.
Another commonly used infection element used in malicious emails is a clickable link that may be in the form of button, in-text link, discount voucher, etc. What a visit of such a link may lead to is the activation of malicious scripts injected into web page’s source code. With the help of these scripts hackers could drop and activate malicious objects directly on your PC.
So if you want to keep your system secure against devastating threats like Everbe 2.0 in future you should have an active anti-malware tool installed on it. Once activated on the system such a tool will detect all intrusive malware and this way save you a lot of troubles.
Everbe 2.0 Ransomware – Overview
The infection process with Everbe 2.0 ransomware begins when its malicious payload is started on the system. In the beginning the threat is developed to plague essential system settings that will eventually enable it to reach the main infection stage which data encryption.
Among the affected system components is the Registry Editor known for storing low-level system and installed programs settings. There are two specific keys that are usually targeted by ransomware threats like Everbe 2.0 and they are Run and RunOnce. This could be explained by the fact that these two registry sub-keys manage the automatic execution process of all files and objects essential for the smooth system performance. So by adding malicious values under these sub-keys the ransomware becomes able to run all necessary infection files on each system start.
The manipulation of their functionalities could also help Everbe 2.0 to display its ransom note on the screen at the end of the attack. As of the note associated with this crypto virus it is dropped on the system under the name !=How_to_decrypt_files=!.txt and all it reads is:
Hello ! All your files have been encrypted !
Don’t worry , we can help tou to return all of your files .
If you want to know price for decryptor , write to our email – email@example.com
In the subject write – id-[redacted 11 numbers]
Every 7 days price doubles.
If within 24 hours we didn’t answer you , write to our backup mail – firstname.lastname@example.org .
Everbe 2.0 Ransomware – Data Encryption Process
After all needed modifications are implemented Everbe 2.0 initiates a scan of predefined drives and folders in order to locate target files and encode them with strong cipher algorithm. Alike previous versions of Everbe ransomware that are associated with the extensions .Everbe, .eV3rbe, and .thunder, Everbe .divine could be using the strong AES cipher for alteration of files code. As of the files targeted by the ransomware they may be all of the following:
- Audio files
- Video files
- Document files
- Image files
- Backup files
- Banking credentials, etc
So upon encryption all corrupted files remain inaccessible due to the changes of their original code. In addition, they are all marked with the following string of extensions:
Their code could be reverted back with the help of alternative efficient recovery solutions which could help you to avoid paying criminals the ransom as well. Some tested by our team are listed in the guide that follows. So make sure to check all the information presented in step “Restore files encrypted by Everbe 2.0” as it could help you to find a way to restore a few to all of encrypted .divine files.
Also don’t forget that soon or later security experts could crack the code of this Everbe variant and release publicly a free decryption tool.
Remove Everbe 2.0 Ransomware and Restore .divine Files
Below you could find how to remove Everbe 2.0 step by step. To remove the ransomware manually you need to have a bit of technical experience and ability to recognize traits of malware files. Beware that ransomware is a threat with highly complex code that plagues not only your files but your whole system. So as recommended by security researchers you need to utilize an advanced anti-malware tool for its complete removal. Such a tool will keep your system protected against devastating threats like Everbe 2.0 ransomware and other kinds of malware that endanger your online security.
After you remove the ransomware make sure to check the “Restore Files” step listed in the guide below. But before you take any further actions, don’t forget to back up all encrypted files to an external drive in order to prevent their irreversible loss.