Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Herbst Ransomware and Restore .herbst Encrypted Files

herbst-ransomware-virus-main-sensorstechforumRansomware, carrying the name Herbst (Autumn) has been the reason of people complaining they no longer have access to their files. What this cryptovirus also familiar as ransomware does is it uses a strong AES-256 encryption standard to encode the data of the computers It infects. It then leaves a message written in German saying the user must pay 0.1 BTC to get the files back. Despite the offer is tempting, the files are, important users are advised by experts to wait for an eventual release of a decryptor for the ransomware so that they can restore the files for free.

In the meantime, we have provided instructions to help you remove Herbst and alternative methods that may assist you with decrypting your files.

Threat Summary

NameHerbst
TypeRansomware
Short DescriptionThe ransomware encrypts files with the AES-256 and base64 ciphers and asks a 0.1 BTC (around 50 USD) ransom payoff for decryption.
SymptomsFiles are encrypted and a .herbst file extension is added to them after which they become inaccessible. A ransom note with instructions for paying the ransom shows as a window pop-up.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Herbst

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Herbst Ransomware.

Herbst Ransomware – How Is It Spread

In order to be widespread out into the open, the cyber-criminals behind the ransomware may employ different spamming software, such as:

  • Web Crawlers that crawl the web for targeted websites to spam URLs that redirect to malicious JavaScripts or Exploit Kits.
  • Ghost Referral spam bots that perform the same activity, but are more advanced.
  • Email Spam campaigns that are extremely expensive and contain malicious URLs or file attachments in them.

Either way, the user may be redirected to a website that may automatically save a .js(JavaScript) file or get infected via a malicious Exploit Kit, both of which may drop the malicious files of Herbst onto the infected machine.

Herbst Ransomware In Detail

Once its malicious executables are dropped onto the user’s computer, Herbst ransomware may conceal them In different Windows location where they can be executed with escalated privilege. Here are some of the locations in which the malicious files may be residing and what names they may have:

commonly used file names and folders

After it has been situated onto the computer of the victim, the ransomware may execute the following vssadmin command to delete backups:

shadow-command-sensorstechforum

It may also modify one of the following registry entries to run on system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Herbst then scans for the widely used files to encrypt, for example:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source: Fileinfo.com

It looks specifically for content in the following folders to encrypt it:

  • Desktop.
  • My Pictures.
  • My Music.
  • Personal.

Herbst Ransomware and Its Encryption

To encrypt data successfully, the Herbst crypto-virus uses firstly an AES encryption, after which It applies base 64 encoding conversion mechanisms. Here is how the file’s code looks like before and after encryption, as discovered by Fortinet researchers:

herbst-encrypted-data-sensorstechforumSource:Fortinet

In addition to that, the ransomware adds, the .herbst file extension and besides that the files cannot be opened, they look like the following:

herbst-ransomware-encrypted-files-sensorstechforum

Herbst Ransomware – How It Communicates

To make its demands, clear, this ransom virus displays a pop-up window named, “Encrypted”. It displays an cleverly written message written entirely in German:

herbst-ransomware-ransom-noteSource: Fortinet

The message translates to the following:

Your computer was just encrypted with the help of AES 256, against which any type of measures is useless, your data can be restored only with the help of a unique key. You can decipher the data yourself, but in today’s time, it would technically take 100 years.
This is why we won’t to as a not so big payoff for the decryption key. If you are agree to this proposal, we want to make you happy sooner, because our internet-database is limited in size and even if we do not want it, soon we will be driven into deleting your files.
After we have received the payment, we will send you a Transaction ID, which you need to paste in the text field and press on the button Decrypt.

Remove Herbst Ransomware And Remove .Herbst File Extension

To delete this ransomware and completely eradicate everything it has modified onto your PC, we strongly advise you to follow either the Manual or Automatic removal instructions we have provided below. Experts also recommend using an advanced anti-malware tool to track down malicious objects automatically and detect other malware if present on your PC. This is also advisable because it will increase future protection.

If you are wondering how to restore your files, direct decryption of them is not possible at the moment, but there are other alternatives. You may have a small chance of recovering your files if you try our proposed methods in step 3 – “Restore files encrypted by Herbst.” They may not work with 100% guarantee, but they propose even a small chance of recovering the files.

Manually delete Herbst from your computer

Note! Substantial notification about the Herbst threat: Manual removal of Herbst requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Herbst files and objects
2.Find malicious files created by Herbst on your PC
3.Fix registry entries created by Herbst on your PC

Automatically remove Herbst by downloading an advanced anti-malware program

1. Remove Herbst with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Herbst in the future
3. Restore files encrypted by Herbst
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.