Remove Files1147@gmail(.)com, .breaking_bad - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove [email protected](.)com, .breaking_bad

Another variant of the Shade Trojan ransomware has appeared lately and bears the name [email protected](.)com. That is the email provided by cybercriminals, for where the ransom money to be sent. The ransomware encrypts files with a .breaking_bad file extension. In the past, it has been given the names Trojan-Ransom.Win32.Shade and Ransom:Win32/Troldesh. It uses the same warning message as its previous variants.

STF-ransomware-files1147@gmail.com-shade-troldesh-.breaking_bad-breaking-bad

Name[email protected](.)com
TypeRansomware, Trojan
Short DescriptionThis ransomware is a newer variant of the Shade ransomware family.
SymptomsThe Ransomware encrypts files and adds a .breaking_bad extension to them. It uses a gmail account for the ransom money to be received.
Distribution MethodExploit Kits, Spam Emails.
Detection toolDownload Malware Removal Tool, to See If Your System Has Been Affected by [email protected](.)com
User ExperienceJoin our forum to discuss the [email protected](.)com ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected](.)com Distribution Ways

Exploit Kits

One way of distribution for the [email protected](.)com ransomware is through exploit kits, mainly – the Nuclear EK. Just visiting a site with an exloit kit injected into it is enough for your computer to get infected. Cyber crooks can put malicious code inside legitimate and non-legitimate websites as well. That code exploits a vulnerability of a browser or its extensions and add-ons. After a vulnerability is found, the ransomware is secretly installed on the computer. In almost all cases you will be unaware that it even happened.

Spam Emails

Another way this ransomware distributes itself is via spam emails. You will receive a short email with a malware file attached. If you open the attachment, the malware is then spread. The [email protected](.)com ransomware has been using the files for distribution from its previous variants – namely these:

  • doc_dlea podpisi.com
  • doc_dlea podpisi.rar
  • documenti_589965465_documenti.com
  • documenti_589965465_documenti.rar
  • documenti_589965465_doc.scr
  • doc_dlea podpisi.rar
  • неподтвержден 308853.scr
  • documenti dlea podpisi 05.08.2015.scr.exe
  • akt sverki za 17082015.scr

Although, be aware that the file names can have different variations, so that they can trick you.

[email protected](.)com Technical Details

The [email protected](.)com ransomware seems to behave very similarly as its other known variants. The technical name of the first Shade ransomware variant is labeled as Trojan-Ransom.Win32.Shade by some researchers and Ransom:Win32/Troldesh by others.

Once the ransomware is on a compromised computer, it connects to a remote command & control (C&C) server in the Tor network. From there, it notifies the server and requests an RSA-3072 algorithm key so it can use it to encrypt files. Encrypted files have the extension .breaking_bad. However, if the connection is unsuccessful, the [email protected](.)com ransomware will choose 1 of 100 keys, stored within its code.

When the process is complete, files with the following extensions will be encrypted:

→.3ds .3fr .3g2 .3gp .7z .accda .accdb .accdc .accde .accdt .accdw .adb .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .anim .arw .as .asa .asc .ascx .asm .asmx .asp .aspx .asr .asx .avi .avs .backup .bak .bay .bd .bin .bmp .bz2 .c .cdr .cer .cf .cfc .cfm .cfml .cfu .chm .cin .class .clx .config .cpp .cr2 .crt .crw .cs .css .csv .cub .dae .dat .db .dbf .dbx .dc3 .dcm .dcr .der .dib .dic .dif .divx .djvu .dng .doc .docm .docx .dot .dotm .dotx .dpx .dqy .dsn .dt .dtd .dwg .dwt .dx .dxf .edml .efd .elf .emf .emz .epf .eps .epsf .epsp .erf .exr .f4v .fido .flm .flv .frm .fxg .geo .gif .grs .gz .h .hdr .hpp .hta .htc .htm .html .icb .ics .iff .inc .indd .ini .iqy .j2c .j2k .java .jp2 .jpc .jpe .jpeg .jpf .jpg .jpx .js .jsf .json .jsp .kdc .kmz .kwm .lasso .lbi .lgf .lgp .log .m1v .m4a .m4v .max .md .mda .mdb .mde .mdf .mdw .mef .mft .mfw .mht .mhtml .mka .mkidx .mkv .mos .mov .mp3 .mp4 .mpeg .mpg .mpv .mrw .msg .mxl .myd .myi .nef .nrw .obj .odb .odc .odm .odp .ods .oft .one .onepkg .onetoc2 .opt .oqy .orf .p12 .p7b .p7c .pam .pbm .pct .pcx .pdd .pdf .pdp .pef .pem .pff .pfm .pfx .pgm .php .php3 .php4 .php5 .phtml .pict .pl .pls .pm .png .pnm .pot .potm .potx .ppa .ppam .ppm .pps .ppsm .ppt .pptm .pptx .prn .ps .psb .psd .pst .ptx .pub .pwm .pxr .py .qt .r3d .raf .rar .raw .rdf .rgbe .rle .rqy .rss .rtf .rw2 .rwl .safe .sct .sdpx .shtm .shtml .slk .sln .sql .sr2 .srf .srw .ssi .st .stm .svg .svgz .swf .tab .tar .tbb .tbi .tbk .tdi .tga .thmx .tif .tiff .tld .torrent .tpl .txt .u3d .udl .uxdc .vb .vbs .vcs .vda .vdr .vdw .vdx .vrp .vsd .vss .vst .vsw .vsx .vtm .vtml .vtx .wb2 .wav .wbm .wbmp .wim .wmf .wml .wmv .wpd .wps .x3f .xl .xla .xlam .xlk .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xps .xsd .xsf .xsl .xslt .xsn .xtp .xtp2 .xyze .xz .zip

After the files are encrypted, the following message will be left as a desktop image:

All the important files on your computer were encrypted.
The details can be found in README.txt files
which you can find on any of your disks.

The ransom request will be left in 10 README.txt documents. All of them contain one and the same text inside, such as the following example:

Ваши файлы были зашифрованы.
Чтобы расшифровать их, Вам необходимо отправить код:
667EBB7E9D12BE9C733C|0
на электронный адрес [email protected] .
Далее вы получите все необходимые инструкции.
Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
667EBB7E9D12BE9C733C|0
to e-mail address [email protected] .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.

Important!

It is essential to note the attacks of [email protected](.)com don’t stop here. Its process creates an infinite loop of malware infections by contacting the C&C server and obtains a list of malicious URLs. This is commonly referred to as a download bot.

According to malware researchers, malware of the following families is frequently downloaded:

  • Trojan.Win32.CMSBrute
  • Trojan.Win32.Miuref
  • Trojan.Win32.Kovter
  • Trojan-Downloader.Win32.Zemot

Judging by the extension and that it is working in collaboration with other malware, it can be assumed it also works together with the Los Pollos Hermanos ransomware.

[email protected](.)com Removal

If you have been infected by the [email protected](.)com ransomware, you should have at least some experience in removing viruses. The Trojan is made to download malware of different families, so it is highly recommended that you carefully follow the instructions provided below:

1. Boot Your PC In Safe Mode to isolate and remove [email protected](.)com
2. Remove [email protected](.)com with SpyHunter Anti-Malware Tool
3. Remove [email protected](.)com with Malwarebytes Anti-Malware.
4. Remove [email protected](.)com with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by [email protected](.)com in the future
NOTE! Substantial notification about the [email protected](.)com threat: Manual removal of [email protected](.)com requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.