The Jigsaw ransomware proves to be persistent. This time around the extension .epic is given to encrypted files. The crypto-virus encrypts 120 file extensions and more, as previous variants, and creates a ransom note which is Anonymous-themed. Five thousand dollars is the sum asked as payment for decryption. To know how to restore your files and remove the ransomware variant, you should read the article till its end.
|Short Description||The ransomware encrypts files by adding an .epic extension and demands a ransom for decryption.|
|Symptoms||Files with more than 120 different extensions get encrypted. Each hour files can get erased if the ransom money is not paid.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks|
See If Your System Has Been Affected by Epic
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Epic.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Epic Ransomware – Delivery
Epic ransomware might be delivered through spam e-mails containing an attachment. When the attachment is opened, the malicious code inside it will inject itself into your computer machine. That file could have a name such as firefox.exe or something popular like it, so it can trick people into opening it.
Past variants of the Epic ransomware were delivered via social media networks or file-share sites, as well. DropBox was another delivery method used by the original variant – Jigsaw ransomware. The best advice you could know is to avoid any suspicious sites, links or files because from them you could find malicious code infecting you with the Epic ransomware virus.
Epic Ransomware – Technical Information
The Epic ransomware is a crypto-virus of the Jigsaw family. All your files will get encrypted and be unusable. The malware demands a huge sum of money to be paid in BitCoins for file decryption. If you do not meet the criteria given by the Epic ransomware, your files will be deleted in an hourly manner or even sent to your Contacts. The theme of this variant is Anonymous.
The ransomware will create some files on a compromised computer and register them in the Windows Registry with specific values, to maintain persistence.
This is one of the common entries in the Windows Registry:
That registry value will automatically load a certain executable file of the ransomware with each boot of the Windows Operating System. That way the Epic ransomware will launch every time.
Next, the Epic ransomware will display a lock screen which will type out text meant to scare you into paying the ransom.
Here is how the lock screen looks like:
The ransomware demands a payment of at least 5000 US dollars to be paid in BitCoins. Otherwise, the Epic ransomware will delete some of your files with each passing hour. The asked ransom price won’t increase with time.
The text inside the lock screen reads:
Very bad news! I am a so-called crypt.locker with following advanced functions:[TIMER]
Encrypting all your Data……………………………………………………………….……..Done!
Collecting all Logins, Contacts, eMail and Messenger History…..Done!
Uploading all of it on a Server………………………………………….Done!
Sending a copy of this Package to ALL of your contacts…Pending
Now here are some good news:
The pending task will never be executed and all your files will be decrypted
again as soon as you did a BITCOIN PAYMENT within the next 72h.
I will then remove myselfe from your system – like nothing ever happened!
To show you that I am serious I will delete every hour 1-5 files – better hurry!
If you fail no one will stop me from sending messages to all your contacts.
Sharing with them every private conversation or eMail of yours I could find.
Don’t try to be smart by closing me or Power off the Machine – its too late!
Now make your decission: Accepting the loss of Privacy and Data or doing the Payment.
1 file will be deleted.
Please, send at least $5000 worth of BTC here:
Below you see an executable file of the Epic ransomware, uploaded to VirusTotal:
Paying any ransom money demanded by the Epic ransomware is ridiculous. The sum of 5,000 dollars is too high for the average user, and absolutely nobody can guarantee that you will indeed return your files to normal for them to be usable. The ransomware is sold for 35 times less than the ransom which is asked per user. Giving up the money to the cyber crooks will only feed their addiction for crimes and inspire them in that direction.
Know that at the end of this article you will find described ways to restore your files. A decryption tool is also available thanks to Michael Gillespie – the malware researcher who cracked the original Jigsaw ransomware.
The Epic ransomware searches extensions to encrypt files which have them, on every type of storage device you can think of – SSD, HDD, be it internal or external. The Epic variant like past iterations of the ransomware will search for files with 120 plus extensions. The list of all these extensions is the following:
→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java
The AES algorithm used with this variant of the ransomware does not differ from the one used by the original Jigsaw ransomware. The ransomware sets .epic as an extension to all encrypted files. If you reboot your PC, there is a high chance that you could lose around 1,000 files of your encrypted data.
This variant of the Jigsaw Ransomware made an innovation with its scary ransom note and the bombastic sum of money wanted as ransom. Otherwise, a solution to restore all of your files is still present. In a case when you have rebooted your computer system after the infection and lost some of the files – do not panic. Data Recovery software might still recover the lost files.
Remove Epic Ransomware and Restore .epic Files
If Epic ransomware infected your machine, do not worry, as there is already a solution available for free file decryption. If you want to get rid of the ransomware, you should have a bit of experience in removing viruses. Check the instructions guide written below to see how you can recover your files.
Manually delete Epic from your computer
Note! Substantial notification about the Epic threat: Manual removal of Epic requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.