Remove Files1147@gmail(.)com, .breaking_bad - How to, Technology and PC Security Forum |

Remove Files1147@gmail(.)com, .breaking_bad

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Another variant of the Shade Trojan ransomware has appeared lately and bears the name Files1147@gmail(.)com. That is the email provided by cybercriminals, for where the ransom money to be sent. The ransomware encrypts files with a .breaking_bad file extension. In the past, it has been given the names Trojan-Ransom.Win32.Shade and Ransom:Win32/Troldesh. It uses the same warning message as its previous variants.

TypeRansomware, Trojan
Short DescriptionThis ransomware is a newer variant of the Shade ransomware family.
SymptomsThe Ransomware encrypts files and adds a .breaking_bad extension to them. It uses a gmail account for the ransom money to be received.
Distribution MethodExploit Kits, Spam Emails.
Detection toolDownload Malware Removal Tool, to See If Your System Has Been Affected by Files1147@gmail(.)com
User ExperienceJoin our forum to discuss the Files1147@gmail(.)com ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Files1147@gmail(.)com Distribution Ways

Exploit Kits

One way of distribution for the Files1147@gmail(.)com ransomware is through exploit kits, mainly – the Nuclear EK. Just visiting a site with an exloit kit injected into it is enough for your computer to get infected. Cyber crooks can put malicious code inside legitimate and non-legitimate websites as well. That code exploits a vulnerability of a browser or its extensions and add-ons. After a vulnerability is found, the ransomware is secretly installed on the computer. In almost all cases you will be unaware that it even happened.

Spam Emails

Another way this ransomware distributes itself is via spam emails. You will receive a short email with a malware file attached. If you open the attachment, the malware is then spread. The Files1147@gmail(.)com ransomware has been using the files for distribution from its previous variants – namely these:

  • doc_dlea
  • doc_dlea podpisi.rar
  • documenti_589965465_documenti.rar
  • documenti_589965465_doc.scr
  • doc_dlea podpisi.rar
  • неподтвержден 308853.scr
  • documenti dlea podpisi 05.08.2015.scr.exe
  • akt sverki za 17082015.scr

Although, be aware that the file names can have different variations, so that they can trick you.

Files1147@gmail(.)com Technical Details

The Files1147@gmail(.)com ransomware seems to behave very similarly as its other known variants. The technical name of the first Shade ransomware variant is labeled as Trojan-Ransom.Win32.Shade by some researchers and Ransom:Win32/Troldesh by others.

Once the ransomware is on a compromised computer, it connects to a remote command & control (C&C) server in the Tor network. From there, it notifies the server and requests an RSA-3072 algorithm key so it can use it to encrypt files. Encrypted files have the extension .breaking_bad. However, if the connection is unsuccessful, the Files1147@gmail(.)com ransomware will choose 1 of 100 keys, stored within its code.

When the process is complete, files with the following extensions will be encrypted:

→.3ds .3fr .3g2 .3gp .7z .accda .accdb .accdc .accde .accdt .accdw .adb .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .anim .arw .as .asa .asc .ascx .asm .asmx .asp .aspx .asr .asx .avi .avs .backup .bak .bay .bd .bin .bmp .bz2 .c .cdr .cer .cf .cfc .cfm .cfml .cfu .chm .cin .class .clx .config .cpp .cr2 .crt .crw .cs .css .csv .cub .dae .dat .db .dbf .dbx .dc3 .dcm .dcr .der .dib .dic .dif .divx .djvu .dng .doc .docm .docx .dot .dotm .dotx .dpx .dqy .dsn .dt .dtd .dwg .dwt .dx .dxf .edml .efd .elf .emf .emz .epf .eps .epsf .epsp .erf .exr .f4v .fido .flm .flv .frm .fxg .geo .gif .grs .gz .h .hdr .hpp .hta .htc .htm .html .icb .ics .iff .inc .indd .ini .iqy .j2c .j2k .java .jp2 .jpc .jpe .jpeg .jpf .jpg .jpx .js .jsf .json .jsp .kdc .kmz .kwm .lasso .lbi .lgf .lgp .log .m1v .m4a .m4v .max .md .mda .mdb .mde .mdf .mdw .mef .mft .mfw .mht .mhtml .mka .mkidx .mkv .mos .mov .mp3 .mp4 .mpeg .mpg .mpv .mrw .msg .mxl .myd .myi .nef .nrw .obj .odb .odc .odm .odp .ods .oft .one .onepkg .onetoc2 .opt .oqy .orf .p12 .p7b .p7c .pam .pbm .pct .pcx .pdd .pdf .pdp .pef .pem .pff .pfm .pfx .pgm .php .php3 .php4 .php5 .phtml .pict .pl .pls .pm .png .pnm .pot .potm .potx .ppa .ppam .ppm .pps .ppsm .ppt .pptm .pptx .prn .ps .psb .psd .pst .ptx .pub .pwm .pxr .py .qt .r3d .raf .rar .raw .rdf .rgbe .rle .rqy .rss .rtf .rw2 .rwl .safe .sct .sdpx .shtm .shtml .slk .sln .sql .sr2 .srf .srw .ssi .st .stm .svg .svgz .swf .tab .tar .tbb .tbi .tbk .tdi .tga .thmx .tif .tiff .tld .torrent .tpl .txt .u3d .udl .uxdc .vb .vbs .vcs .vda .vdr .vdw .vdx .vrp .vsd .vss .vst .vsw .vsx .vtm .vtml .vtx .wb2 .wav .wbm .wbmp .wim .wmf .wml .wmv .wpd .wps .x3f .xl .xla .xlam .xlk .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xps .xsd .xsf .xsl .xslt .xsn .xtp .xtp2 .xyze .xz .zip

After the files are encrypted, the following message will be left as a desktop image:

All the important files on your computer were encrypted.
The details can be found in README.txt files
which you can find on any of your disks.

The ransom request will be left in 10 README.txt documents. All of them contain one and the same text inside, such as the following example:

Ваши файлы были зашифрованы.
Чтобы расшифровать их, Вам необходимо отправить код:
на электронный адрес .
Далее вы получите все необходимые инструкции.
Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
to e-mail address .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.


It is essential to note the attacks of Files1147@gmail(.)com don’t stop here. Its process creates an infinite loop of malware infections by contacting the C&C server and obtains a list of malicious URLs. This is commonly referred to as a download bot.

According to malware researchers, malware of the following families is frequently downloaded:

  • Trojan.Win32.CMSBrute
  • Trojan.Win32.Miuref
  • Trojan.Win32.Kovter
  • Trojan-Downloader.Win32.Zemot

Judging by the extension and that it is working in collaboration with other malware, it can be assumed it also works together with the Los Pollos Hermanos ransomware.

Files1147@gmail(.)com Removal

If you have been infected by the Files1147@gmail(.)com ransomware, you should have at least some experience in removing viruses. The Trojan is made to download malware of different families, so it is highly recommended that you carefully follow the instructions provided below:

1. Boot Your PC In Safe Mode to isolate and remove Files1147@gmail(.)com
2. Remove Files1147@gmail(.)com with SpyHunter Anti-Malware Tool
3. Remove Files1147@gmail(.)com with Malwarebytes Anti-Malware.
4. Remove Files1147@gmail(.)com with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Files1147@gmail(.)com in the future
NOTE! Substantial notification about the Files1147@gmail(.)com threat: Manual removal of Files1147@gmail(.)com requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share