Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


IRansom Virus and .locked Encrypted Files Remove It and Restore Them

ransowmare-malware-galaxyhiren-ilocked-ransom-note-mainA brand new virus has hit the web, naming itself iRansom and using a .locked file extension on files it encrypts. The virus demands victims to pay approximately 90$ (0.15 BTC) to gain back access to their files. As soon as it infects a computer, iRansom also displays a ransom note besides using encryption to lock all the files of users who have been affected by the malware. Anyone who has been infected by iRansom are advised not to pay any ransom to the cyber-criminals and instead read our article on the matter and remove it completely from your computer as well as attempt to restore the encrypted files.

Threat Summary

Name

iRansom

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to an e-mail address and Bitcoin wallet for payment. Changed file names and the file-extension .locked has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by iRansom.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The iRansom Virus More Information

iRansom – Distribution and Infection

The iRansom malware is believed to be spread via two main methods – malicious web links and malicious files uploaded online.

The malicious URLs may spread iRansom virus via malicious browser redirects. Such redirections may be caused simply by having an adware PUP on your computer that may advertise suspicious third-party web links or directly cause redirects to them. Another mean of distributing such URLs is by heavily spamming them online on various websites.

When it comes to redistributing malicious files, the files may be disguised as fake setups of programs or fake game patches and key generators uploaded on torrent websites. The most common way of getting infected with ransomware, however still remains to be e-mail spam. There are many cases of spammed messages that have been reported to cause issues by having malicious attachments that pretend to be legitimate documents. Usually, most attachments are archived in order to prevent any detection.

Whatever the case may be, once the user is infected, the virus may be obfuscated so that it’s malicious activity does not raise suspicion by any real-time antivirus protection software. In the meantime, the malware injects code into the legitimate Windows process to gain administrative permissions and download the payload of the iRansom virus, which may be located in:

  • %AppData%
  • %Roaming%
  • %Local%
  • %User’s Profile%
  • %Startup%
  • %SystemDrive%

The malicious files may be executable as well as text files and image files, set in the %Startup% Windows folder to run every time Windows has started. As soon as this has been done the malware begins to encrypt data.

iRansom Virus – Post-Infection Activity

As soon as iRansom has been activated, the virus may immediately begin encrypting the files on the computer it has compromised. On it’s ransom note, the virus claims to use a strong encryption algorithm, but this may not be necessarily true and iRansom could easily be cracked in the near future.

The files the iRansom virus encodes are widely used types of files associated with documents, videos, audio, pictures, databases and others. The iRansom malware may also encrypt other types of files associated with often used programs such as Adobe Photosop, Steam and other file extensions, for example:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

When the iRansom ransomware begins encrypting the files, it enciphers blocks of data on those files that allows it to render the files no longer openable. The .locked extension is appended to the encrypted files and they look like the following:

locked-file-extension-iransom-ransomware-sensorstechforum

After this has been performed, iRansom displays it’s distinctive ransom note that has the following message to the ones who have become unsuspecting victims:

“Your files have been locked by iRansom!
**Shutting Down or Attempting to stop this, will render your files useless forever!**
{number} total files have been encrypted using the strongest encryption. And a unique key, generated for this computer.
The private key to unlock your files is stored on a hidden Internet database and nothing can decrypt your files until you pay and obtain the private key.
Your private key will be destroyed in: {deadline timer}
To unlock your precious files you must pay a 0.15 bitcoin fee (90%) to the address below!
Wallet ID:
Don’t know how to get bitcoin or set up a wallet?
Sent the Transaction? Email us with your BTC wallet ID: [email protected]

As visible by the ransom note, the virus threatens to render the files useless upon deletion which is a possible indicator that it may have a CBC-mode enabled to do exactly that, similar to other ransomware viruses.

IRansom Ransomware – Conclusion and Removal

As a bottom line, this may just be another low-quality standard ransomware that demands a payment in BitCoin. At this point it is up to malware researchcers to analyze the threat and crack it, developing a free decryptor for it.

In the meantime, we advise you to use the instructions below. They are carefully designed to assist you in the successful removal of iRansom from your computer and they will also help get rid of various virus-related objects, like registry entries and other malware and unwanted programs as well.

Since it requires experience to remove the files and other objects manually we recommend using an advanced anti-malware program that should make sure the removal of iRansom and other malware is full and future protection is automatically ensured.

We will keep updating this article on more about this threat if information on decryptor becomes available. In the meantime you are welcome to try the suggested alternative methods to restore your files below.

Manually delete iRansom from your computer

Note! Substantial notification about the iRansom threat: Manual removal of iRansom requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove iRansom files and objects
2.Find malicious files created by iRansom on your PC

Automatically remove iRansom by downloading an advanced anti-malware program

1. Remove iRansom with SpyHunter Anti-Malware Tool and back up your data

Try to Recover Files Encrypted by iRansom on your computer

Restore files encrypted by iRansom

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.