Ransomware keeps growing in popularity amongst cyber-criminals since it has proven its effectiveness using military grade encryption to extort users on a daily basis. One of the newest ciphering malware which has been discovered encrypts the user files with a seven letter file extension, like the reported .sshxkey. After doing so it leaves back the ransom note, asking to contact [email protected] for more information or payment for the file decryption.
|Short Description||Encrypts the user files adding a 7 letter file extension, such as the reported .sshxkey. It may often change the file extension.|
|Symptoms||The user may witness his wallpaper changed to a ransom note asking him to contact the email [email protected] for further instructions. The encrypted files are hidden.|
|Distribution Method||Via PUPs, exploit kits or malicious attachments or web links.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by [email protected]|
|User Experience||Join our forum to discuss [email protected].|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
[email protected] Ransomware – Distribution
To spread to other devices, this malware may use the following methods:
- Via malicious URLs that contain Exploit Kits being spammed in social media or via e-mail.
- Via malicious e-mail attachments being sent out as spoof messages to the victims.
- Through users in the local network.
However it may spread, the malware may use the so-called file obfuscation which make it impossible for some antivirus programs protecting the PC to detect it. This is why users need to apply advanced anti-ransomware software, such as BitDefender Anti-Ransomware.
[email protected] Ransomware In Detail
Once the ransomware has bypassed the protection on the victim PC, it may directly execute its file encryption module. It begins to scan for files of the following character:
Users report that this ransomware variant conceals the files from the user that are encrypted, but it may leave some of the files non-encoded. And after encrypting the data, the malware leaves an “encrypted_list.txt” file which displays the names of the encrypted files:
The crypto-malware also leaves a text document, named “encrypted_readme.txt” that has the following ransom note:
→ “WARNING! Your personal files are encrypted!
Your most important files on this computer have been encrypted: photos,
documents, videos, music, etc. You can verify this by trying to open such files.
Encryption was produced using an UNIQUE public RSA-4096 key, specially
generated for this computer only, thus making it impossible to decrypt such
files without knowing private key and comprehensive decipher software. We have
left on our server a copy of the private key, along with all required software
for the decryption. To make sure that software is working as intended you have
a possibility to decrypt one file for free, see contacts below.
The private key will be destroyed after 7 days, afterwards making it impossible
to decrypt your files.
Encryption date: d/m/yyyy hh:mm:ss.
Private key destruction date: d/m/yyyy hh:mm:ss.
For obtaining decryption software, please, contact: [email protected]”
Source: bgn5pax – affected user.
This particular ransomware also changes the user’s wallpaper to the following one:
Furthermore, the ransomware is reported to leave a file, named “encryption key backup.pfx” which is also encrypted. When we checked its HEX code, the only indicator was the word “CRYPTOCONTAINER” – a string at the end of the hex code:
Judging by how it appears, this ransomware may actually employ the RSA-4096 encryption algorithm, and it is not here to fool around. And since it is not so widespread like malware, such as CryptoWall, TeslaCrypt or Cerber, it may be more difficult to detect. Since the ransomware uses an “india.com” email address for contact, it resembles very much to the “@” type of ransomware variants, like Redsh*tline or [email protected] However, it uses a much stronger encryption algorithm.
Remove [email protected] and Restore RSA-4096 Encrypted Files
To get rid of this malware from your system, we strongly advise you to use the step-by-step removal manual outlined below.
Regarding the file decryption, we have attempted to use each and every Kaspersky file decryptor. However, none of them even started to decrypt the files. So as far as direct decryption goes, there is no direct solution for it. However, you may still wait for an update in the decryptors (its automatic) or try some of the other alternatives outlined in Step 4 below.