New ransomware infecton carrying the file extension [email protected] has been reported by malware researchers to wreak havoc on the computers of the victims it infects. The malware has the one and only purpose to encrypt the files on the compromised computer and then leave behind the e-mail of the crooks as a file extension. The virus then drops a ransom note, named Readme.txt which has the extortion instructions in it and gives 96 hours deadline to contact the e-mail, otherwise the files could be lost indefinitely. If your computer has been infected by [email protected] ransomware, we advise you to read this article and learn how to remove this virus and restore files that have been encrypted by it on your computer.
|Short Description||Aims to encrypt the files on the computers infected by it and then demands a ransom payoff to get the files back.|
|Symptoms||Files are encrypted and no longer able to be opened with an added [email protected] file extension. Readme.txt ransom note also appears.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by LibbyWovas |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss LibbyWovas.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
[email protected] Ransomware – Distribution
In order spread it, the cyber-criminals behind [email protected] file ransomware may use different methods. They may upload the infection files of the virus as fake programs, installers of games or even game key generators and software license activators. In addition to this, the cyber-crooks may also send the infection file in the form of a document over e-mail. The attachment may be accompanied with a convincing message, like the following:
[email protected] Files Virus – More Information
Once your computer becomes infected by the [email protected] files ransomware, the malware connects to a distribution site via an unsecured port on your computer. After this, it drops the payload of the ransomware virus on your computer. It may consist of more than one executable file and these files are of different formats and may have different, often random names. The files may be located in the most commonly targeted Windows folders:
After this ransomware virus has already infected your computer, it may begin to modify it. For starters, the [email protected] ransomware may situate registry sub-keys with values in them that aim to run it’s encryption executable during Windows boot. To do this the virus may target the following Windows Registry sub-keys:
After the [email protected] ransomware creates value strings, they may contain data with the actual location of the malicious file, responsible for the encryption.
In addition to modifying the Windows Registry Editor, the .libby[email protected] ransomware virus may also delete the shadow volume copies of the infected computer via the vssadmin and bcedit commands:
→ vssadmin delete shadows /for=
After those commands are enabled with the right parameters, the shadow copies of the infected machine are deleted and there is no way to restore the files using Windows. The virus then may drop it’s Readme.txt ransom note which has the following contents:
Your files are encrypted.
In case of renaming a file, the file will become unsuitable for decryption. Even we will not have a chance to restore them.
To return your files you have 96 hours. Write to us.
Our email: [email protected]
ATTENTION. To email ([email protected]) write messages only from these e-mail services.
From other email services, messages may not be received by us.
ATTENTION. We will reply you within 24 hours. If there is no response from us, please send your message again.
Tor email: [email protected]
To register tor e-mail, use the service http://torbox3uiot6wchz.onion (Open only to the tor browser)
Send 3 files, each <2 MB (only pictures, text documents or shortcuts). We will decipher them for free, to confirm that we can help you. Wait for further instructions. YOUR KEY.
[email protected] – Encryption
The encryption process of the [email protected] virus is conducted via an encryption algorithm whose primary purpose is to render the files on the victim’s computer no longer able to be opened. To encrypt files, the [email protected] ransomware targets specific documents, audio files, image files, archives and other often used files, which may have the following file extensions:
“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”
After the encryption process by [email protected] ransomware has completed, the ransomware adds it’s distinctive file extension, which makes the files to begin appearing like the following:
Remove [email protected] Ransomware and Restore Files
If you want to remove this ransomware infection completely from your computer system, it is strongly recommended to begin removing it by using the steps in the instructions below. They are specifically designed to help you isolate and remove the [email protected] virus either manually or automatically. Be advised that for maximum effectiveness, experts always recommend using specifically designed for removal anti-malware software which will help to fully detect and remove all malicious files, related to [email protected] ransomware from your computer.
If you want to restore files that have been encrypted by this ransomware on your computer, it is recommended to try the alternative methods used below In step “2. Restore files encrypted by LibbyWovas” below. They may not be 100% effective, but may help you to recover most of your data.