.cekisan Files Virus - How to Remove It Fully
THREAT REMOVAL

.cekisan Files Virus – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This article has been created with the main idea to help you remove the .cekisan file ransomware from your computer completely.

New ransomware strain was recently detected by cybersecurity researchers. The malware aims to encrypt the files on the computers that have been comrpomised by it and then set a ransom note file, called Readme_Restore_Files.txt which aims to convince victims that it is a legitimate type of ransom note, aiming to convince users to pay ransom in order to restore their encrypted files. If your computer has been infected by this ransomware virus, we strongly suggest that you read this article thoroughly.

Threat Summary

Name.cekisan Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the important files on the computers infected by it and then ask victims to pay ransom to get the files back.
SymptomsFiles are appended the .cekisan file extension and a ransom note, called Readme_Restore_Files.txt is also droped on the user PC.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .cekisan Files Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .cekisan Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.cekisan Files Virus – Distribution

The .cekisan file ransomware may use different methods to be distributed on the computers, infected by it. The malware may be spread via either malicious files or web links that are embedded in victims’ computers. If spread via web links, the virus may land on your computer as a result of a web browser redirect to the malicious link or as a result of having adware or browser hijacker that is causing such redirects. Another variant of getting infected via a web link is if you have visited an unsafe site and clicked on it yourself.

Another scenario is if the .cekisan file ransomware has landed on your computer as a result of opening a malicious file of some sort. These files may be sent to you via e-mai attachments, pretending to be important documents, like invoice or a receipt. They may also be patiently waiting to be downloaded by victims on websites, where they may pose as a program, installer, crack, keygen or other activation software or app.

.cekisan File Ransomware – More Information

Once it has already compromised your computer, the .cekisan files virus may drop it’s payload. It may be located in the following Windows directories:

  • %AppData%
  • %Local%
  • %Temp%
  • %LocalLow%
  • %Roaming%

In addition to this, the ransomware also drops it’s ransom note file, called Readme_Restore_Files.txt. It has the following contents:

Attention!
Do not rename the ciphered files.
Do not try to decrypt your data with the help of the third-party software, it can cause constant data loss.
If you, your programmers or your friends help you to decrypt your files – it can lead to data loss.
You do not joke with files.

My email A654763764@qq.com

In addition to this, the .cekisan ransomware may also add value entries in the following Windows registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop

The .cekisan files virus may also delete the shadow copies on the computers, infected by it, preferrably by running the following Windows commands as an administrator:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.cekisan Files Virus – Encryption Process

In order to encrypt the files on machines it has already infected, the .cekisan files virus may scan for them, based on their file extensions. The virus may skip encrypting files in the following Windows system directories:

  • %Windows%
  • %ProgramData%
  • %Temp%
  • %System%

The encryption process may be performed on the following types of files;

  • Documents.
  • Videos.
  • Images.
  • Audio files.
  • Archives.
  • Other files.

As soon as the .cekisan files virus encrypts the files, they can no longer be opened. The reason for this is that key data from the encrypted files is modified so that the ransomware renders the files to seem corrupt. They can however be decrypted, if you have the decryption keys. After encryption, the files may start to appear like the image below shows:

Remove .cekisan Files Virus and Try Restoring Files

If you want .cekisan file ransomware removed, we recommend that you follow the instructions underneath. They have been created with the main goal to help you remove this ransomware either manually or if this doesn’t work, automatically. It is recommended by security experts to perform a scan of your PC with an advanced anti-malware software. It will remove the virus files with maximum effectiveness and more so, such software ensures that your PC stays protected in the future too.

In addition to removing .cekisan ransomware, we recommend that you try and see if you can restore your files using the methods we provided in the “Try to restore” step underneath. They come with no 100% guarantee, but with their aid, you might be able to recover at least some of your encrypted files.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...