Remove Crptlomand@india.com Ransomware and Restore RSA-4096 Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove [email protected] Ransomware and Restore RSA-4096 Encrypted Files

shutterstock_271501652Ransomware keeps growing in popularity amongst cyber-criminals since it has proven its effectiveness using military grade encryption to extort users on a daily basis. One of the newest ciphering malware which has been discovered encrypts the user files with a seven letter file extension, like the reported .sshxkey. After doing so it leaves back the ransom note, asking to contact [email protected] for more information or payment for the file decryption.

Name[email protected]
TypeRansomware
Short DescriptionEncrypts the user files adding a 7 letter file extension, such as the reported .sshxkey. It may often change the file extension.
SymptomsThe user may witness his wallpaper changed to a ransom note asking him to contact the email [email protected] for further instructions. The encrypted files are hidden.
Distribution MethodVia PUPs, exploit kits or malicious attachments or web links.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by [email protected]
User Experience Join our forum to discuss [email protected].
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Ransomware – Distribution

To spread to other devices, this malware may use the following methods:

  • Via malicious URLs that contain Exploit Kits being spammed in social media or via e-mail.
  • Via malicious e-mail attachments being sent out as spoof messages to the victims.
  • Through users in the local network.

However it may spread, the malware may use the so-called file obfuscation which make it impossible for some antivirus programs protecting the PC to detect it. This is why users need to apply advanced anti-ransomware software, such as BitDefender Anti-Ransomware.

[email protected] Ransomware In Detail

Once the ransomware has bypassed the protection on the victim PC, it may directly execute its file encryption module. It begins to scan for files of the following character:

  • Photos
  • Videos
  • Music
  • Documents

Users report that this ransomware variant conceals the files from the user that are encrypted, but it may leave some of the files non-encoded. And after encrypting the data, the malware leaves an “encrypted_list.txt” file which displays the names of the encrypted files:

encrypted_list-sensorstechforum

The crypto-malware also leaves a text document, named “encrypted_readme.txt” that has the following ransom note:

→ “WARNING! Your personal files are encrypted!
Your most important files on this computer have been encrypted: photos,
documents, videos, music, etc. You can verify this by trying to open such files.
Encryption was produced using an UNIQUE public RSA-4096 key, specially
generated for this computer only, thus making it impossible to decrypt such
files without knowing private key and comprehensive decipher software. We have
left on our server a copy of the private key, along with all required software
for the decryption. To make sure that software is working as intended you have
a possibility to decrypt one file for free, see contacts below.
The private key will be destroyed after 7 days, afterwards making it impossible
to decrypt your files.
Encryption date: d/m/yyyy hh:mm:ss.
Private key destruction date: d/m/yyyy hh:mm:ss.
For obtaining decryption software, please, contact: [email protected]

Source: bgn5pax – affected user.

This particular ransomware also changes the user’s wallpaper to the following one:

crptlomand@india

Furthermore, the ransomware is reported to leave a file, named “encryption key backup.pfx” which is also encrypted. When we checked its HEX code, the only indicator was the word “CRYPTOCONTAINER” – a string at the end of the hex code:

hex-file-cryptocontainer-sensorstechforum

Judging by how it appears, this ransomware may actually employ the RSA-4096 encryption algorithm, and it is not here to fool around. And since it is not so widespread like malware, such as CryptoWall, TeslaCrypt or Cerber, it may be more difficult to detect. Since the ransomware uses an “india.com” email address for contact, it resembles very much to the “@” type of ransomware variants, like Redsh*tline or [email protected] However, it uses a much stronger encryption algorithm.

Remove [email protected] and Restore RSA-4096 Encrypted Files

To get rid of this malware from your system, we strongly advise you to use the step-by-step removal manual outlined below.

Regarding the file decryption, we have attempted to use each and every Kaspersky file decryptor. However, none of them even started to decrypt the files. So as far as direct decryption goes, there is no direct solution for it. However, you may still wait for an update in the decryptors (its automatic) or try some of the other alternatives outlined in Step 4 below.

1. Boot Your PC In Safe Mode to isolate and remove [email protected]
2. Remove [email protected] with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by [email protected] in the future
4. Restore files encrypted by [email protected]
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.