Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove [email protected] Ransomware and Restore .Zip Encrypted Files

shutterstock_152253701Ransomware which belongs to the ACCDFISA viruses has become the reason for concerns of malware researchers. It has been reported to encode the files of the computers it infects leaving the file extension “(!! to get email id password {Unique ID} to [email protected] !!)” to the files which it has encoded by it. The virus is also believed to archive the files, converting them into a .zip file format. It may also modify the names of those files. Users, infected by the Auinfo16 ransomware are strongly advised into reading this material thoroughly to get familiar on how to remove [email protected] ransomware from their computers and try to get the files back.

Threat Summary

Name

[email protected]

TypeRansomware
Short Description[email protected] ransomware, encrypts user files with what appears to be AES encryption and ask ransom money for decryption varying from the hundreds to thousands of dollars.
SymptomsThe user may witness various ransom notes dropped on the desktop by [email protected], changed wallpaper and several legitimately looking Windows processes, like svchost.exe to be running with unknown license on the computer.
Distribution MethodVia an Exploit kit, JavaScript, other malware or PUPs.
Detection Tool See If Your System Has Been Affected by [email protected]

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Ransomware – Infection Distribution

To infect victim computers successfully, [email protected] ransomware might use so-called process obfuscation, exploit kits as well as JavaScript and other tools which conceal its malicious files while they are being dropped on the computer.

Also, [email protected] ransomware’s creators might use software that spams message automatically over the web. The software is known as spam bots, and the e-mails sent by these ransomware makers may have different content:

  • URLs which are malicious and can cause browser redirects and drive-by-downloads which can infect the user’s computer with malware.
  • E-mail attachments that have heavily obfuscated executables or other files which appear like a legitimate Microsoft Office or Adobe Reader files.

A viable technique to spread these viruses is by using adware or other unwanted programs, like browser hijackers, for instance. This software deliver advertisements and may even cause browser redirects at times. They are also ad-supported programs that can be installed incognito in combination with the installers of freeware downloaded from third-party websites. Since the ones who made those applications may not mind what type of URLs they advertise users are advised to remove such apps in case, they see them on sight.

[email protected] Ransomware – More Information

After it has been dropped on the victim PC, similar to the other versions of ACCDFISA ransomware, [email protected] might execute a process with the same name and type as the legitimate svchost.exe critical Windows process. This payload may be located in a randomly named folder in the primary drive, for example:

C:\{Random name}\svchost.exe

The malware could also make a registry entry, creating it’s malicious svchost process to run on system boot up:

→ In the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, the value “C:\{Random name}\svchost.exe”

The malware could also drop its support files, also known as modules that might be concealed in various Windows folders:

→ %SystemDrive%
%SystemRoot%
%Temp%
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

Some of these files have been reported by malware researchers to have different names and be located in the following Windows folders:

→ %ProgramData%\local\ aescrypter.exe
%ProgramData%\local\ crdfoftrs.dll
%ProgramData%\local\ svchost.exe
%ProgramData%\local\ undxkpwvlk.dll
%ProgramData%\local\ vpkswnhisp.dll
%Users%\Public\Desktop\ how to decrypt aes files.lnk
%Windows%\SysWOW64\ csrsstub.exe
%Windows%\SysWOW64\ dcomcnfgui.exe
%Windows%\SysWOW64\ tcpsvcss.exe
%Windows%\SysWOW64\ tracerpts.exe
%Windows%\SysWOW64\ ucsvcsh.exe
%Windows%\SysWOW64\ wcmtstcsys.sss
%decrypt% decrypt.exe
how to decrypt aes files.lnk

After [email protected] ransomware’s encryptor is run, the malware could use protocols taken from the infamous WinRar software, making a unique method for archiving the data using a password that could be sent to servers of cyber-crooks together with a unique identifier. The identification is mention in the file extension which is added to the encoded files after they have been encrypted. For instance, in case the ID number is 111,111,111 files that have been encoded may look like this:

→ Picture.jpg.(!! to get email id password {Unique ID} to [email protected] !!).zip

[email protected] mainly looks for files which are often used, like videos, images, document files, databases and even virtual images. It could even be set up to encode all the files, besides the ones that are crucial, by which windows can be able to run with success.

After the files have been encoded, just like other ACCDFISA malware, [email protected] may change the wallpaper into a picture with ransom note:

ransomware-file-encryption-sensorstechforum-ransom-note-anti-child porn spam protection

Remove [email protected] and Try Restoring the Files

In conclusion, the [email protected] virus could be removed instantaneously, instead of paying any ransom money. For this to happen, we encourage you to follow the instructions we have posted underneath and remove [email protected] malicious files from your system. For this to be maximumly effective, malware research experts recommend to use a more automated approach and scan your PC with an advanced anti-malware program. It will detect and remove files associated with [email protected] Ransomware completely from the computer and protect it in the future as well.

When it comes to decoding files, at present times we cannot locate a solution which has been released. However researchers are convinced that cracking this virus should be done soon. Malware writers have included in other versions of this virus that they have conducted improvements in it’s encryption. This is why we strongly recommend to you to be very careful when trying the methods for file reverting in step “3. Restore files encoded by [email protected] Ransomware” underneath and to always make backups when you try doing this process yourself

Manually delete [email protected] from your computer

Note! Substantial notification about the [email protected] threat: Manual removal of [email protected] requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove [email protected] files and objects
2. Find malicious files created by [email protected] on your PC
3. Fix registry entries created by [email protected] on your PC

Automatically remove [email protected] by downloading an advanced anti-malware program

1. Remove [email protected] with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by [email protected] in the future
3. Restore files encrypted by [email protected]
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.