Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Invisible Empire Ransomware and Restore .payransom Files

STF-invisible-empire-ransomware-jigsaw-clone-ransom-note-screen-lock-desktop

The Jigsaw ransomware is back again with a fresh variant. The theme of this variant is the Invisible Empire art exhibit made by Juha Arvid Helminen. The ransomware is called Invisible Empire and named after the exhibition. This crypto-virus encrypts files with more than 120 extensions as its past variants, adding a .payransom extension. To know how to restore your files and remove the ransomware, you should read the article in full.

Threat Summary

NameInvisible Empire
TypeRansomware
Short DescriptionThe ransomware encrypts files by adding a .payransom extension and asks a ransom for decryption.
SymptomsFiles with more than 120 different extensions are encrypted. A Invisible Empire themed lock screen with instructions for paying is displayed. Every hour files are erased if the ransom money is not paid.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Invisible Empire

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Invisible Empire.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Invisible Empire Ransomware – How Does It Spread?

Multiple ways exist that spread the Invisible Empire ransomware. You might get infected with it through spam e-mails containing an attachment with a malicious code inside. If such an attachment is opened, the malware could be injected inside your machine. The file probably has a name like firefox.exe or of something popular and useful so it can trick you.

Previous variants of the now called Invisible Empire ransomware were spread via social media networks and file-sharing systems as well. DropBox is still not an excluded way of distribution – it might be still in play. You should avoid all suspicious files, websites, and links as they could very well be just another method of infecting you with the malware.

Invisible Empire Ransomware – Technical Description

The Invisible Empire crypto-virus is also classified as ransomware. It will encrypt all your files, and they will become simply unusable. The virus demands BitCoins as payment for the ransom. If you do not meet the required criteria, your files will be deleted on an hourly basis. The ransomware is a clone of other ransomware. Its previous variants are the Jigsaw ransomware and CryptoHitman ransomware. Nor the Hitman character nor the ‘Saw’ puppet is used as a theme for the ransomware – this time, it is a popular art exhibit.

In the directories %AppData%\Systmd\, %LocalAppData%\Wrkms\ and %AppData%\System32Work, the files that will be created are:

  • systmd.exe
  • wrkms.exe
  • Address.txt
  • EncryptedFileList.txt

The Windows Registry is modified, too. This added registry value is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wrkms.exe %UserProfile%\AppData\Roaming\Wrkms\wrkms.exe

The registry value, which is set makes the file wrkms.exe to automatically start. Every loading of the Windows Operating System will launch the file executing the Invisible Empire ransomware.

What follows is, that the ransomware will display a lock screen themed after an art exhibit of the same name done by Juha Arvid Helminen. The theme of the exhibition is to show how law enforcement officers can hide behind their uniforms and commit crimes. The ransomware bears the name of this exhibit and to be more precise – Invisible Empire.

The instructions for payment are slowly being written live on the lock screen as if somebody is typing them out at precisely that time:

STF-invisible-empire-ransomware-jigsaw-clone-ransom-note-screen-lock-desktop

You are demanded to pay 150 US dollars, in BitCoins, within the hour. If you do not comply, the ransomware claims that with each passing hour, encrypted files will get removed from your drives and eventually you will lose all of your files. The sum doubles if you don’t pay within 24 hours and triples if the payment is not complete in 48 hours.

The message that is being typed out at the lock screen is:

Your files have been encrypted.
You must pay $150 USD in Bitcoins to the address specified below.
Depending on the amount of files you have your Ransom can double to $300 USD after 24 hours
of non payment and triple to $450 USD after 48 hours of nonpayment.
Your payment amount will be shown below.
We will delete files every hour until you pay!
If you do not have Bitcoins visit www.localbitcoins.com to purchase them.
Your payment BTC Address is below. Files are decrypted instantly after payment.
Everytime you restart your computer it recrypts everything. It will take a while
for you to see the this screen again. Copy the BTC address and email it to yourself.
If you copy it on your computer the file will be crypted when you restart the computer.
Every time you restart the computer you run the risk of damaging the hard drive.
Files are decrypted instantly after payment is received.

3 files will be deleted. 3 archivos seran borrados.

Send – Envie $150 worth of Bitcoins here – de Bitcoins aqui:

As a side note in the lock screen, the following text is written:

YOUR FILES HAVE BEEN ENCRYPTED
YOU MUST PAY TO GET THEM BACK
Visit www.LocalBitcoins.com
To purchase if you dont have any.
Send the coins to the address specified.

To pay the ransom of the Invisible Empire ransomware goes unadvised. You cannot have any guarantee from anybody that you will get your files back and if they will work. Spending money to support cyber criminals can only fuel them with inspiration and capital to commit more crimes or enhance the ransomware they have. Take note, that at the end of this article, some restoration methods are described, and you can also read about a decryptor.

The Invisible Empire ransomware searches to encrypt files on all types of storage devices – HDDs, SSDs, external or internal. This variant again will search for files with more than 120 extensions. The known list is this:

→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java

The AES algorithm is still used for the encryption process of this Jigsaw ransomware clone. This variant of the ransomware puts .payransom as the extension of the encrypted files. If you restart your machine, there is a possibility that nearly 1,000 out of all encrypted files might get wiped from your disc drives.

As the core of the ransomware hasn’t changed, there is still a solution to restore your files. In case you already restarted your computer after the encryption process was complete and lost some files – don’t worry. Data Recovery tools can help you recover part of the files.

Remove Invisible Empire Ransomware and Restore .payransom Encrypted Files

If Invisible Empire ransomware infected your computer, don’t you worry, because a solution for free decryption of the files exists. If you got infected by the ransomware, you should have at least a little experience in removing viruses. See the instructions written down below to see how to recover your files.

Manually delete Invisible Empire from your computer

Note! Substantial notification about the Invisible Empire threat: Manual removal of Invisible Empire requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Invisible Empire files and objects.
2. Find malicious files created by Invisible Empire on your PC.
3. Fix registry entries created by Invisible Empire on your PC.

Automatically remove Invisible Empire by downloading an advanced anti-malware program

1. Remove Invisible Empire with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Invisible Empire in the future
3. Restore files encrypted by Invisible Empire
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.