A ransomware virus named the same way as the notorious network connection management tool PuTTy has appeared in the wild. The virus uses Advanced Encryption standard to encode the important files on the computers it infects. After this, the Putty ransomware may request from victims to pay a hefty ransom fee to decrypt files encrypted by the virus. The Putty ransomware may be spread on a global scale, so if your system has been infected by it, we advise you to read the following material.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions”, linking to contacting the cyber-criminals.|
|Detection Tool|| See If Your System Has Been Affected by Putty Virus |
Malware Removal Tool
|User Experience||Join our forum to Discuss Putty Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Putty Ransomware – How Does It Infect
The infection process of Putty begins with it’s methods of distribution. The virus has a payload file which is named CamSnap.exe. This file can be identified with the following SHA256:
Both the CamSnap files are uploaded in VirusTotal, but only one of them has a high detection rate:
This executable (CamSnap) may imitate the installer of a program aiming to make it easier how one takes pictures with his web camera, according to the publisher’s description:
This points out to this ransomware being distributed via fake installers of programs. These installers may be uploaded on Torrent websites as well as sites that offer free software.
Putty Virus – More Information
After the malicious executable is opened, the Putty virus may run an obfuscated script which may inject code into legitimate Windows processes, such as rundll32.exe and svchost.exe. Then, more malicious files may be dropped onto the user’s computer. The files may be located in the following Windows directories:
Then, the Putty virus may execute the vssadmin command used to delete shadow volume copies from the infected computer.
After this command has been initiated, the Putty virus may also take advantage of the Windows Registry editor by modifying different Windows Registry sub-keys within it. The usually targeted of those are the following:
→ HKEY_CURRENT_USER\Control Panel\Desktop\
Putty Ransomware – Encryption Process
As soon as Putty ransomware begins the encryption process, the virus is pre-configured to target files of the following file types:
- Microsoft Office documents.
- PDF documents.
- Archive files.
- Audio files.
- OpenOffice documents.
In addition to this, the ransomware infection also begins to employ the AES (Advanced Encryption Standard) algorithm on the files, making them no longer openable. After the encryption process is complete, Putty ransomware may drop a ransom note type of file on the computer of the victim asking for a hefty payoff to be made to get the encrypted files back.
Remove Putty Ransomware and Restore Files Encrypted by It
For the removal of this virus, we recommend you to follow the removal instructions in this article below. They will help you fully get rid of Putty ransomware’s malicious files. In case you are having difficulties in manually removing this virus, experts advise using an advanced anti-malware program as the best tool for the job, because it will automatically get rid of all malicious objects and protect the system in the future.
In case your system’s files have been encrypted by Putty ransomware, recommendations are to focus on restoring them using the alternative methods in step “2. Restore files encrypted by Putty Virus” below. But, bear in mind that some these methods tamper with the files and you should backup the encrypted data before trying to mess with it.