Remove .73i87a Ransomware and Restore Encrypted Files

A new ransomware has been reported over security forums to encrypt massively user file s with the .73i87a extension using infected setup programs. One user reported that the downloaded setup file was different than what he believed to have downloaded – a GPS software called iGO 8.0. Users who have become victims of the .73i87a ransomware are strongly advised to remove the ransomware first before starting to restore their files, instructions for which we have after this report.

Name.73i87a Ransomware
TypeRansomware Trojan
Short DescriptionThe malware may encrypt user files, asking for ransom payment to decrypt them.
SymptomsUser may witness a ransom note plus his files becoming corrupt and having the .73i87a extension after their names.
Distribution MethodVia PUPs, installed by bundling (Browser Hijackers) or by visiting a suspicious third-party site that is advertising it.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by .73i87a Ransomware
User ExperienceJoin our forum to follow the discussion about .73i87a Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

data-breach-security-sensorstechforum

How Did I Get .73i87a Ransomware

This ransomware is primarily distributed via infected setup.exe files uploaded online. Such files may usually be found on suspicious third-party websites being shared over forums, Referral Spam, like Traffic2Cash or be advertised via an ad-supported program, such as DNS Unlocker.

Another method of distribution this ransomware may use are spam emails that may either contain infected links or malicious .ZIP, .RAR attachments. There were even cases reported where malicious Word Macros have been used.

.73i87a Ransomware – What Does It Do

Once activated on your computer, the cyber threat may deploy its payload files in the following most commonly used by ransomware folders:

%temp%
%AppData%
%User%
%System%

The files may be of the following file formats:

.tmp, .dll, .exe, .bat, .sys, .cpl

Examples of the file names used by the ransomware may be random names such as “81g28d12d12d1.dll” or names that resemble official Windows processes such as “explorer.exe”. They may also resemble a program, such as “iGO.tmp” for instance.

After delivering its payload, the ransomware may create registry entries that schedule its payload programs to run on system startup, for example:

In the key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” or ”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” the value:
(Default)
With data to run “81g28d12d12d1.dll” on system startup.

Once this has been setup, the ransomware may scan for files to encrypt and perform the encryption setting the .73i87a browser extension after the files, for example:

  • YourFamilyPhoto.jpg.73i87a
  • The cyber threat then may leave a ransom note with instructions for the user about paying the ransom money to decrypt the files. Ransomware “businessmen” may even negotiate about the ransom money. Users are strongly advised NOT to pay them and look for other alternatives on restoring their files, methods for which we have suggested below. By paying the ransom, you fund the cyber-crime organization to spread the ransomware to more computers and develop it even further, adding more features and strengthening weaknesses. This also helps them to make the encryption algorithm stronger, increasing the decryption difficulty.

    The good news is that the ransomware has not been reported to delete system restore points or shadow volume copies, so you may still have a chance to restore your data.

    Remove .73i87a Ransomware

    To cleanly and fully remove the .73i87a extension Ransomware, you should make sure to isolate any third-party applications and processes that may conceal the payload by booting into Safe Mode. You may also require the assistance of a specific anti-malware program that will look for the concealed payload and its registries, since the ransomware may generate random names and different files for the specific infection.

    1. Boot Your PC In Safe Mode to isolate and remove .73i87a Ransomware
    2. Remove .73i87a Ransomware with SpyHunter Anti-Malware Tool
    3. Remove .73i87a Ransomware with Malwarebytes Anti-Malware.
    4. Remove .73i87a Ransomware with STOPZilla AntiMalware
    5. Back up your data to secure it against infections and file encryptions by .73i87a Ransomware in the future

    Restore Your Files

    To attempt getting back your files it is recommended to attempt recovering them with the following methods:

    To restore your data, your best bet is to check again for shadow volume copies using this software:

    Shadow Explorer

    The other method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

    Vencislav Krustev

    A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

    More Posts - Website

    Share on Facebook Share
    Loading...
    Share on Twitter Tweet
    Loading...
    Share on Google Plus Share
    Loading...
    Share on Linkedin Share
    Loading...
    Share on Digg Share
    Share on Reddit Share
    Loading...
    Share on Stumbleupon Share
    Loading...
    Please wait...

    Subscribe to our newsletter

    Want to be notified when our article is published? Enter your email address and name below to be the first to know.