Security researchers have found a new ransomware strain that targets computer users. The threat is classified as data locker ransomware as it corrupts essential data stored on infected machines and then asks victims for a ransom payment. Its name comes from the extension it appends to all encrypted files. The [email protected]7 ransomware infection is further associated with a file Readme.txt dropped on the computer. The file contains ransom message send by [email protected] ransomware authors.
|Short Description||The ransomware encrypts files on your computer and displays a ransom message afterward.|
|Symptoms||The ransomware will encrypt your files and put the extension [email protected] to them after it finishes its encryption process.|
|Distribution Method||Spam Emails, Email Attachments, Compromised Web Pages|
|Detection Tool|| See If Your System Has Been Affected by [email protected] |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss [email protected]|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does [email protected] Ransomware Infect?
Most of the times ransomware like [email protected] infect systems by dropping a single executable file on the PC. That file can be embedded in word, excel or pdf document and then send to you as an attached file to an email message. This technique is preferred by hackers because it allows them to spoof the email sender name and the address. Thus by impersonating popular business and governmental organizations, they hope to trick you into infecting your device with the ransomware. Another standard way for ransomware payload distribution is web links that redirect to corrupted web pages. Such links are posted in emails, online advertisements, and social media.
What Does [email protected] Ransomware Do to Your Computer?
Once [email protected] payload is running on the computer, it initiates a sequence of malicious actions to complete the attack. First, it may connect its server to send data about the system and download additional malicious components. Then it may create new files in some essential Windows system folders and then activates its malicious processes.
Probably [email protected] ransomware will access Windows Registry editor to create new values that will enable its payload to start on each system turn on. In addition, the same keys –
Run and RunOnce are likely to be modified after the cypto virus drops its ransom note on the PC. As these keys control all processes that need to start when the Windows is launched and all currently running processes, ransomware uses them to display its ransom note at the end of its infection.
Its ransom note might be situated on the Desktop under the name Readme.txt. What it reads is:
Access to your files was limited.
To return your files you have 72 hours. Write to us.
Our email: [email protected]
ATTENTION. To email ([email protected]) write messages only from these e-mail services. From other email services, messages may not be received by us.
ATTENTION. We will reply you within 24 hours. If there is no response from us, please send your message again.
Tor email: [email protected]
To register tor e-mail, use the service http://torbox3uiot6wchz.onion
This link opens in tor browser. Link to tor browser https://www.torproject.org/
Send us 3 encrypted files, each no more than 2 MB (only pictures, text documents or shortcuts).
We will decrypt them to you for free, to confirm that we can help you.
Together with the decrypted files you will receive further instructions
The given time frame aims to make you anxious and urge you to pay the ransom as soon as possible. Even though the demanded amount is not mentioned, it probably needs to be transferred in Bitcoins. For the sake of your security, it is better to avoid any negotiations with the crooks. There is no guarantee that you will receive a working solution for the encrypted files even if you pay the ransom.
Which Are the Files Encrypted by [email protected] Ransomware?
Like most crypto ransomware [email protected] is likely to have all file types that are frequently used set in its target data list. And the reviewed crypto virus can scan for files with file extensions, associated with the following file types:
- Audio files
The original code of all target files is modified by the ransomware via its built-in encryption module. According to security researchers [email protected] uses AES-ECB or stream cipher to encrypt files. Afterward it marks them all with an extension of the same name [email protected] and drops a ransom message that provides information on their decryption. The transformation restricts you from opening your files until you apply the decryption key.
How to Remove [email protected] Ransomware and Restore Files
All steps that will help you to get rid of [email protected] ransomware completely are covered in our detailed removal guide below. You can choose whether you want to remove it manually or automatically. Have in mind that due to the complexity of ransomware code the manual removal of all its files and objects from the infected host can be a hard task even for the tech savvy guys. So if you [email protected] ransomware is still on the system even after you fulfill all steps from the manual removal, be advised to take the automatic approach.
After the removal, you can check the alternative [email protected] files restore options that we choose for you. You will need to back up all encrypted files before the restore process because if something goes wrong during the restore process, it can be used for the next restore attempts.