A variant of the Troldesh/Shade ransomware virus family has been spotted recently. The virus has been dubbed Drugvokrug727 because it uses the Drugvokrug727@india.com email address. The wallpaper placed on a compromised computer features a digital sketch of the main character from the movie “The Big Lebowski” – the Dude. The ransomware locks files with an extension ending in .xtbl . The ransom price is unspecified. To see how to remove this ransomware and how you might restore your files, you should read the article to its end.
|Short Description||The ransomware encrypts files with an extension ending in firstname.lastname@example.org and leaves an email address as a contact for the supposed decryption of the files.|
|Symptoms||The ransomware will run with each Windows start and encrypt files on your computer. Your wallpaper will be set to a picture with “The Dude” movie character and decrypt instructions pointing to an email address as a contact.|
|Distribution Method||Spam Emails, Email Attachments, Executable Files|
See If Your System Has Been Affected by malware
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Drugvokrug727.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Drugvokrug727 Virus – Methods of Distribution
The Drugvokrug727 ransomware virus probably has more than one distribution method. Targeted attacks are surely one of the main methods, as well as spam email campaigns. A spam email will try to engage you into reading it and opening a file attached to that email. The attachment may seem harmless and of known file type, but in reality to be the payload source for the ransomware. Be extremely careful around emails that have attachments or download links in their body.
A possibility exists, where Drugvokrug727 virus can infect you through social media services or via file-sharing networks. Platforms and websites of that kind might distribute the malicious payload code with executables or batch files, disguised as necessary and useful software applications. An important advice you could follow to prevent ransomware viruses from infecting you is to avoid every email, file or link that seems suspicious and is of an unknown origin. Refrain from directly opening files in general – check their signatures, size and possibly scan them with a security program. You can find more tips about countering and preventing ransomware infections in the respective topic in our forum.
Drugvokrug727 Virus – A Closer Look
Drugvokrug727 is how a virus has been dubbed, belonging to the Shade/Troldesh ransomware family a.k.a. the XTBL ransomware. The name of this virus is derived from the email that its creator uses for contact – Drugvokrug727@india.com. As other ransomware viruses of the same family, this one also puts that email in the extension of each encrypted file.
Here are more variants of this ransomware virus:
- Ecovector Ransomware (Vegclass@aol.com)
- JohnyCryptor Ransomware (Johnycryptor@aol.com)
- Crysis Ransomware (email@example.com)
The ransomware will encrypt files found on your hard disk drives or other storage devices, but system files will not be touched. Before the encryption process begins, the ransomware goes through some predefined stages. After the ransomware finds an entry point to your computer and its payload file is executed, the malicious script found inside will initiate the following:
First, it will create five files, some of which are executables and some contain instructions:
%UserProfile%\How to decrypt your files.jpg
%System%\[THREAT FILE NAME].exe
%UserProfile%\Start Menu\Programs\Startup\[THREAT FILE NAME].exe
%UserProfile%\Start Menu\Programs\Startup\How to decrypt your files.jpg
%UserProfile%\Start Menu\Programs\Startup\How to decrypt your files.txt
Second, it will create this entry in the Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”[RANDOM CHARACTERS]” = “%System%\[THREAT FILE NAME].exe”
That registry entry will keep the ransomware virus perseverant and launch it with every start of the Windows Operating System.
Third, it will then connect to a remote location, which may be one of the following:
Next, your files get encrypted, and after that process is complete, you will notice your desktop background to be swapped with some new wallpaper. That wallpaper contains instructions about how to contact the ransomware makers. Also, in the picture, there is a famous movie character portrayed – The Dude from the movie “The Big Lebowski”. That is how your desktop will look like if you got infected:
That picture on your desktop and a text file with instructions bear the name How to decrypt your files. The text on the image shown above reads:
Дектиптор файлов можно
получить на почте:
Decryptor files are available
at the post office:
The other file – How to decrypt your files.txt looks like this:
The Drugvokrug727 virus does not specify a payment price for the decryption of your files. Also, it does not urge you with a limited time period. The ransomware creator has left only a single email for contact, which the ransomware is named after by researchers.
Do NOT even try to contact the Drugvokrug727@india.com email or any other alternative email address you could have been provided with from the virus. Even if you pay the ransom, you may not get your files back. See this comment posted in our blog by a user infected with ransomware of the same family. The user paid a fortune and didn’t get the courtesy of getting even a single file back.
So, paying criminals will technically make you their accomplice, as the money will be used to further their criminal activities. Also, because Drugvokrug727 is one of the many variants of the Shade/Troldesh ransomware family, there is a way you can try to restore your files. A decryptor tool manufactured by Kaspersky exists, and you can see it in the instructions below this article.
The Drugvokrug727 ransomware encrypts lots of different file types. The virus encrypts files which have these file extensions:
→.jpg, .jpg2, .png, .ppt, .pptm, .pptx, .bmp, .doc, .docm, .docx, .docxml, .pdf, .gif, .rtf, .tar, .targz, .targz2, .txt, .xlmv, .xls, .xlsm, .xlsx, .xml, .mkv, .mov , .mp4, .mpeg, .mpg, .msg, .myd, .myi, .obj, .odb, .odc, .odm, .ods, .oft,. one, .onepkg, .onetoc2, .opt, .oqy, .p7b, .p7c, .pcx, .pdd, .pdp, .pem, .pfx, .php, .php3, .php4, .php5, .phtml, .pl, .pm, .pot, .potm, .potx, .pps, .ppsn, .prn, .pst, .ptx, .pxr, .py, .ai3, .ai4, .ai5, .ai6, .arw, .as, .ASA, .ascx, .asmx, .asp, .aspx,. asr, .avi, .bak, .bay, .bz2, .c, .cdr, .cer, .cfc, .cfn, .cfnl, .cin, .chm, .class, .config, .cpp, .crt, .cs, .css, .csv, .cub, .dae, .db, .dc3, .dcm, .der, .dic, .dif, .divx, .djvu, .dl, .dot, .dotm , .dotx, .dpx, .dqy, .dtd, .dwg, .dx, .dxf, .dsn, .dwt, .eps, .exr, .fido,. frm, .gz, .h, .hpp, .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .ind, .ini, .iqy, .j2c, .i2k, .java, .jp2, .jpc, .jpf, .jpx, .js, .jso, .json, .kmz, .lbi, .m4v, .mdb, .mdf, .mef , .mht, .mhtml, .r3d, .rar, .rdf, .rle , .rqy, .rss, .rw2, .rwl, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql,. srw, .ssi, .stn, .svg, .svg2, .swf, .tdi, .tga, .tld, .u3d, .udl, .uxdc, .vcs, .vda, .wbm, .wbmp, .xlk, .xlm, .xltx, .xlw, .xsd, .xsl, .xsc, .xslt, .xz, .wb2, .wim , .wmv, .zip, .3fr, .3gp, .7z
When all files get encrypted, you will notice that the files will have this extension appended to them – .id-[eight digit number]-firstname.lastname@example.org.
Afterward, the ransomware will send the following information to a remote location:
Compromised computer ID
Email address used by the Trojan
Number of encrypted document, archive, database, and image files
Total number of encrypted files
Drugvokrug727 ransomware probably deletes the Shadow Volume Copies of the Windows Operating System. Read on to learn how to possibly decrypt your files.
Remove Drugvokrug727 Virus and Restore .xtbl Files
If your computer got infected with the Drugvokrug727 ransomware, you should have some experience with removing viruses. You should get rid of this ransomware as quick as you can before it spreads further through the network and infects more files. You should remove the ransomware and follow the step-by-step instructions guide given below. To see how you can try to recover your data, check the step titled 3. Restore files encrypted by Drugvokrug727.
- Guide 1: How to Remove Drugvokrug727 from Windows.
- Guide 2: Get rid of Drugvokrug727 on Mac OS X.
- Guide 3: Remove Drugvokrug727 in Google Chrome.
- Guide 4: Erase Drugvokrug727 from Mozilla Firefox.
- Guide 5: Uninstall Drugvokrug727 from Microsoft Edge.
- Guide 6: Remove Drugvokrug727 from Safari.
- Guide 7: Eliminate Drugvokrug727 from Internet Explorer.
- Guide 8: Disable Drugvokrug727 Push Notifications in Your Browsers.
How to Remove Drugvokrug727 from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove Drugvokrug727
Step 2: Uninstall Drugvokrug727 and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it.
Step 3: Clean any registries, created by Drugvokrug727 on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by Drugvokrug727 there. This can happen by following the steps underneath:
Get rid of Drugvokrug727 from Mac OS X.
Step 1: Uninstall Drugvokrug727 and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove Drugvokrug727 via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove Drugvokrug727 files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as Drugvokrug727, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Remove Drugvokrug727 from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Erase Drugvokrug727 from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Uninstall Drugvokrug727 from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Remove Drugvokrug727 from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the Drugvokrug727 will be removed.
Eliminate Drugvokrug727 from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.
Remove Push Notifications caused by Drugvokrug727 from Your Browsers.
Turn Off Push Notifications from Google Chrome
To disable any Push Notices from Google Chrome browser, please follow the steps below:
Step 1: Go to Settings in Chrome.
Step 2: In Settings, select “Advanced Settings”:
Step 3: Click “Content Settings”:
Step 4: Open “Notifications”:
Step 5: Click the three dots and choose Block, Edit or Remove options:
Remove Push Notifications on Firefox
Step 1: Go to Firefox Options.
Step 2: Go to “Settings”, type “notifications” in the search bar and click "Settings":
Step 3: Click “Remove” on any site you wish notifications gone and click “Save Changes”
Stop Push Notifications on Opera
Step 1: In Opera, press ALT+P to go to Settings
Step 2: In Setting search, type “Content” to go to Content Settings.
Step 3: Open Notifications:
Step 4: Do the same as you did with Google Chrome (explained below):
Eliminate Push Notifications on Safari
Step 1: Open Safari Preferences.
Step 2: Choose the domain from where you like push pop-ups gone and change to "Deny" from "Allow".