A new ransomware has been reported over security forums to encrypt massively user file s with the .73i87a extension using infected setup programs. One user reported that the downloaded setup file was different than what he believed to have downloaded – a GPS software called iGO 8.0. Users who have become victims of the .73i87a ransomware are strongly advised to remove the ransomware first before starting to restore their files, instructions for which we have after this report.
|Short Description||The malware may encrypt user files, asking for ransom payment to decrypt them.|
|Symptoms||User may witness a ransom note plus his files becoming corrupt and having the .73i87a extension after their names.|
|Distribution Method||Via PUPs, installed by bundling (Browser Hijackers) or by visiting a suspicious third-party site that is advertising it.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by .73i87a Ransomware|
|User Experience||Join our forum to follow the discussion about .73i87a Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Did I Get .73i87a Ransomware
This ransomware is primarily distributed via infected setup.exe files uploaded online. Such files may usually be found on suspicious third-party websites being shared over forums, Referral Spam, like Traffic2Cash or be advertised via an ad-supported program, such as DNS Unlocker.
Another method of distribution this ransomware may use are spam emails that may either contain infected links or malicious .ZIP, .RAR attachments. There were even cases reported where malicious Word Macros have been used.
.73i87a Ransomware – What Does It Do
Once activated on your computer, the cyber threat may deploy its payload files in the following most commonly used by ransomware folders:
The files may be of the following file formats:
→.tmp, .dll, .exe, .bat, .sys, .cpl
Examples of the file names used by the ransomware may be random names such as “81g28d12d12d1.dll” or names that resemble official Windows processes such as “explorer.exe”. They may also resemble a program, such as “iGO.tmp” for instance.
After delivering its payload, the ransomware may create registry entries that schedule its payload programs to run on system startup, for example:
→In the key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” or ”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” the value:
With data to run “81g28d12d12d1.dll” on system startup.
Once this has been setup, the ransomware may scan for files to encrypt and perform the encryption setting the .73i87a browser extension after the files, for example:
The cyber threat then may leave a ransom note with instructions for the user about paying the ransom money to decrypt the files. Ransomware “businessmen” may even negotiate about the ransom money. Users are strongly advised NOT to pay them and look for other alternatives on restoring their files, methods for which we have suggested below. By paying the ransom, you fund the cyber-crime organization to spread the ransomware to more computers and develop it even further, adding more features and strengthening weaknesses. This also helps them to make the encryption algorithm stronger, increasing the decryption difficulty.
The good news is that the ransomware has not been reported to delete system restore points or shadow volume copies, so you may still have a chance to restore your data.
Remove .73i87a Ransomware
To cleanly and fully remove the .73i87a extension Ransomware, you should make sure to isolate any third-party applications and processes that may conceal the payload by booting into Safe Mode. You may also require the assistance of a specific anti-malware program that will look for the concealed payload and its registries, since the ransomware may generate random names and different files for the specific infection.
Restore Your Files
To attempt getting back your files it is recommended to attempt recovering them with the following methods:
To restore your data, your best bet is to check again for shadow volume copies using this software:
The other method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:
- Stellar Phoenix Data Recovery Technicians License(Pro version with more features)
- Data Recovery Pro by Pareto Logic
- Stellar Phoenix Windows Data Recovery
- Stellar Phoenix Photo Recovery