Ransomware, carrying the name Herbst (Autumn) has been the reason of people complaining they no longer have access to their files. What this cryptovirus also familiar as ransomware does is it uses a strong AES-256 encryption standard to encode the data of the computers It infects. It then leaves a message written in German saying the user must pay 0.1 BTC to get the files back. Despite the offer is tempting, the files are, important users are advised by experts to wait for an eventual release of a decryptor for the ransomware so that they can restore the files for free.
In the meantime, we have provided instructions to help you remove Herbst and alternative methods that may assist you with decrypting your files.
|Short Description||The ransomware encrypts files with the AES-256 and base64 ciphers and asks a 0.1 BTC (around 50 USD) ransom payoff for decryption.|
|Symptoms||Files are encrypted and a .herbst file extension is added to them after which they become inaccessible. A ransom note with instructions for paying the ransom shows as a window pop-up.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by Herbst |
Malware Removal Tool
|User Experience||Join our forum to Discuss Herbst Ransomware.|
Herbst Ransomware – How Is It Spread
In order to be widespread out into the open, the cyber-criminals behind the ransomware may employ different spamming software, such as:
- Ghost Referral spam bots that perform the same activity, but are more advanced.
- Email Spam campaigns that are extremely expensive and contain malicious URLs or file attachments in them.
Herbst Ransomware In Detail
Once its malicious executables are dropped onto the user’s computer, Herbst ransomware may conceal them In different Windows location where they can be executed with escalated privilege. Here are some of the locations in which the malicious files may be residing and what names they may have:
After it has been situated onto the computer of the victim, the ransomware may execute the following vssadmin command to delete backups:
It may also modify one of the following registry entries to run on system startup:
Herbst then scans for the widely used files to encrypt, for example:
It looks specifically for content in the following folders to encrypt it:
- My Pictures.
- My Music.
Herbst Ransomware and Its Encryption
To encrypt data successfully, the Herbst crypto-virus uses firstly an AES encryption, after which It applies base 64 encoding conversion mechanisms. Here is how the file’s code looks like before and after encryption, as discovered by Fortinet researchers:
In addition to that, the ransomware adds, the .herbst file extension and besides that the files cannot be opened, they look like the following:
Herbst Ransomware – How It Communicates
To make its demands, clear, this ransom virus displays a pop-up window named, “Encrypted”. It displays an cleverly written message written entirely in German:
The message translates to the following:
Remove Herbst Ransomware And Remove .Herbst File Extension
To delete this ransomware and completely eradicate everything it has modified onto your PC, we strongly advise you to follow either the Manual or Automatic removal instructions we have provided below. Experts also recommend using an advanced anti-malware tool to track down malicious objects automatically and detect other malware if present on your PC. This is also advisable because it will increase future protection.
If you are wondering how to restore your files, direct decryption of them is not possible at the moment, but there are other alternatives. You may have a small chance of recovering your files if you try our proposed methods in step 3 – “Restore files encrypted by Herbst.” They may not work with 100% guarantee, but they propose even a small chance of recovering the files.