A new ransomware virus has been detected at the end of June 2017, calling itself aZaZeL. It demands 0.1 BTC ransom payoff to restore the files it has encrypted. These files have the .Encrypted file extension added to them and along with them a file named File_Encryption_Notice.txt is also added which aims to notify victims of their situation. In case you have become a victim of the aZaZeL Virus we advise you to read this article thoroughly.
|Short Description||Encrypts the files on the computers infected by it. Demands a payoff of 0.1 BTC for their decryption.|
|Symptoms||A file is dropped on the computer, named File_Encryption_Notice.txt|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by aZaZel |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss aZaZel.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does aZaZeL Virus Spread ?
One particular technique used by the aZaZeL ransomware to infect victims is to utilize Microsoft Word document and in it embed malicious macros. This infects your computer after you click on the “Enable Content” button of the document to read the contents. Usually such documents are not detected if sent as e-mail attachments, simply because the macros within them are heavily obfuscated. Such e-mails may convince victims that the documents are of important nature and they must be opened immediately, for example:
Other methods by which you could end up being a victim of aZaZeL ransomware are to download it as a fake setup, key generators and patches or game cracks.
aZaZeL Ransomware – More Information
Once your computer becomes infected by aZaZeL ransomware, the virus may immediately drop it’s malicious files on the computer infected by it. The main malicious files of aZaZeL has a completely random name and Is .exe file type. This file and other support malicious modules may be dropped in the usually targeted Windows directories, which are:
After the malicious files of aZaZeL ransomware are dropped on the computer of the user, the virus may obtain administrative privileges by injecting malicious code in Windows processes. From there, it may attack the Windows Registry Editor, modifying the Run and RunOnce registry sub-keys, located in:
Another malicious activities which the aZaZeL ransomware may perform is to delete the shadow volume copies of the infected computer system by executing Windows Command Prompt commands as an administrator in Windows:
→ vssadmin delete shadows /all /quiet
Among the activity of aZaZeL ransomware is to drop it’s ransom note which is called File_Encryption_Notice.txt and has the following notification to victims:
Your files are encrypted!!!
Your documents,photos, databases & other important files have been encrypted with
strongest encryption & unique key, generated for this computer.
We offer you to purchase special application for recovery access to your encrypted
files. Getting the decryptor is the only opportunity not to loose your file from pc
Your lock id:
Without a decryption tool it is imposible to recover your files. So
keep your lock id very safe else you can never recover your files.
It will be better if you note it somewhere outside your pc on the paper.
To purchase the decryption tool follow these steps:
1.Register a Bitcoin(BTC) wallet at (www.blockchain.info/wallet/new)
(Properly note your Bitcoin wallet address and Identifier address which you require to login to your BTC wallet)
2.If you dont have Bitcoins, you can buy them at (www.coinmama.com)
Here are the detail steps which will help you to buy buitcoins
Step 1: Goto (www.coinmama.com/register) and register your account there using your email id.
Step 2: After you register an account, you need to Signup/Login to your coinmama account.
Step 3: Then Choose the amount of Bitcoin (0.1 BTC) you need to buy.
Step 4: Choose a method of payment. You need to select the one of the available methods of payment
(Recommended: Western union or Moneygram)
Step 5: Note the details given for money transfer(eg:account holder’s name, address,etc)
Step 6: Deposit the given amount of money in Western union or Moneygram near your location to the given details.
Step 7: After you deposit the cash, you will receive a transfer receipt with important information (eg:MTCN number).
Step 8: Only then goto next step (i.e. Complete your order) to assure a successful transfer.
Step 9: Copy the exact information as stated on your transfer receipt in the form.
Step 10: Enter your Bitcoin wallet address properly in the form then update order.
Your order will be processed once your transfer clears in their account.
They will update you by email, moments after sending your Bitcoins.
Other site to buy Bitcoins (www.localBitcoins.com)
(First time Bitcoin buyers guide available at (https://en.Bitcoin.it/wiki/First-time_buyers_guide)
3.After you buy Bitcoins, transfer Bitcoins to the details given below
# Amount to transfer: 0.1 BTC(approx.$46 US Dollars)
# Transfer to bitcoin address: 1MaBogxRSscjxsdcsEr6ymtkV9SdGLfuxf
**Check bitcoin address properly before payment**
Only after the payment
Mail us to receive the decryption tool
# Mail to: [email protected]
# Subject: Decryptor Request
# Message: Message us the following details:
1.Your lock id (see at the top)
2.Email id: Your email id in which you wish to receive the decryptor.
3.BTC address: Your bitcoin wallet address from which you have made the payment.
(You can also mail us to get a guide on How to buy Bitcoins)
Donot try to rename or be oversmart with those encrypted files, else they cant be
decrypted back & you will loose them forever.
#Files EnCrYpTeD by aZaZel
aZaZel Ransomware – Encryption Process
During the encryption process, aZaZel ransomware is very careful not to encrypt files vital for the usage of Windows. The ransomware virus aims to avoid system folders for that matter and only encrypts files that are often used, like the following file types:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
After the encryption process has completed, the virus appends the .Encrypted file extension to the files that have been enciphered. The files can no longer be opened and look like the image at the beginning of this article.
Remove aZaZel Ransomware and Restore .Encrypted Files
Before beginning the removal process of this ransomware infection, we advise you to backup the encrypted files. Then, you can initiate the removal process of the ransomware infection preferably by following the removal manual below. But bear in mind that since aZaZel creates multiple objects and may interfere with important Windows files, a ransomware specific tool should be used to remove the virus automatically.
If you want to restore the files that have been encrypted by this ransomware virus, you can try so if you use the alternative methods which we have suggested in the instructions below. They are located in step “2. Restore files encrypted by aZaZel”.