A ransomware virus that is a part of the XTBL/CrySiS malware group has been reported to infect users. Dubbed Malevich, the virus may use a powerful AES-128 encryption algorithm to encode the files of the infected computers asking the users of those computers to pay a hefty fee to gain access back to their files. Everyone who has become a victim of the Malevich ransomware virus should read this article to get familiar with methods of removing it from any infected computers and alternative ways to restore the encrypted files.
|Short Description||The ransomware encrypts files with the AES-128 cipher and ask a ransom for decryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by Malevich |
Malware Removal Tool
|User Experience||Join our forum to Discuss Malevich Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Malevich Ransomware – Distribution
For it to be widespread, the creators of Malevich ransomware may use a variety of tools and strategies to make a successful infection:
- Malware obfuscation software to hide the malicious files of Malevich ransomware from any protection and real-time shields.
- File joiners to embed the virus in Microsoft Office documents’ macros or other types of files.
- Spam bots or other spamming services to spread the virus via malicious e-mails and malicious URLs all over the web.
- Online domains and hosting services by third-parties for the C&C servers of the virus.
These tools in combination may be used with the malicious executable of Malevich ransomware to spread it in social media, chat services, as comments or replies on websites and other places as well. It may also be featured as a file attachment in spam e-mail messages that make it appear as if it as a legitimate document.
Malevich Ransomware – What Does It Do?
One particular activity this virus is involved in, is that it may connect to the command and control servers of the cyber-criminals and send information about:
- The version of the operating system of the victim’s computer.
- The security software installed.
- State of the network connection and settings.
- The IP addressing and regions of the affected computer.
This information may be used by the cyber-criminals to drop the malicious files belonging to Malevich ransomware on the compromised computer. The malicious files that have been dropped may be located in several different locations, for instance:
The Malevich virus may also drop files in the startup folder of Windows which is:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup – for all users
The files that are dropped may be the ransom note files, that could be the following types:
→ .hta, .html, .txt, .bmp, .jpg, .bmp
In addition to them, a malicious .exe file may also be dropped in the %Startup% directory to run on Windows boot. This is typical for most Troldesh, Shade variants and this executable is usually the one pre-programmed to encrypt files with the following file extensions:
→ .odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps
After the files have been encrypted, the Malevich ransomware uses it’s own distinctive file extension that includes:
- Unique 7 digit identification.
- The e-mail address to contact the cyber-criminals.
- The .xtbl or .CrySiS file extension.
After encryption, the Malevich Ransomware may display it’s ransom note every time Windows boots up and encrypt files that are newly added.
Malevich Ransomware – Remove It and Restore Your Files
To remove the Malevich virus completely from your computer, it is advisable to follow the instructions illustrated below. They are created so you won’t have to take your computer to a professional expert and pay money for the removal of the Malevich virus. In case you are having trouble in manually removing this virus, experts strongly recommend using an advanced anti-malware program that will automatically take care of this ransomware from your computer.
In addition to this, in case you are looking for a method to restore your files, we urge you to be patient since malware researchers are currently working on a decrypter. In the meantime, you may want to try the alternative file restoration methods from the steps below.