Remove Masterlock@india.com Ransomware Virus and Restore .Crypt Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove [email protected] Ransomware Virus and Restore .Crypt Encrypted Files

help-removal-sensorstechforumRansomware Virus, belonging to the “@” ransom variants has been reported to encode user files and add a custom file extension to them. It also leaves the email by which victims can contact the cyber-outlaws – [email protected] Once contacted the victims receive instructions on how to pay the sum of 3 BitCoins which is approximately 1600 USD at the time of writing and receive a decryption key. Since some infected users have managed to restore their files using a Kaspersky decryption program, we strongly advise to read this article, remove Masterlock ransomware and try to restore the files yourself.

Threat Summary

Name

[email protected]

TypeRansomware
Short DescriptionThe malware encrypts users’ files and then leaves its e-mail to extort them for granting access to the encrypted files.
SymptomsThe user may witness an extension with an e-mail, unique id and .crypt word in it. The cyber-criminals send a ransom message demanding 3 BTC as a payoff.
Distribution MethodVia an Exploit kit or a malicious Java Script.
Detection Tool See If Your System Has Been Affected by [email protected]

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerber Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] – Distribution Mechanisms

How does one ransomware infect users is the most important part of the infection process. Similar to [email protected] ransomware, the criminals behind [email protected] are reported to use spam e-mail messages that may contain different information, for example:

“Subject: Holiday Property
Hello
We have successfully purchased your property located at:
{MALICIOUS URL HERE}
We can provide free listings of the property on our website.
{MALICIOUS URL HERE}
Please check the receipt for more information:
{MALICIOUS ATTACHMENT}
Regards,
Holiday Properties Inc.”

Such malicious e-mails may either activate an Exploit Kit or a malicious JavaScript which can download the malware directly onto the infected user’s computer.

[email protected] Ransomware – Detailed Overview

The malware may use a so-called process obfuscators to hide its malicious .exe file, an activity noticed with another of its variants – [email protected]. Besides the main malicious file, it may also create files of the following types:

→ .dll, .tmp, .vbs, .bat, .cmd, .reg

Such files may be placed in one or multiple Windows locations:

  • %AppData%
  • %Documents%
  • %Windows%
  • %Local%
  • %Roaming%
  • %Temp%

The [email protected] ransomware may also create a registry entry to have it’s encryption process run every time the user starts Windows:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”{Malicious File’s name}.exe” = ” {Location of the file}

When the encryption process is initiated, the ransomware looks for the most commonly used files, associated with videos, photos, databases, audio files, documents and others, for example:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

Each file It detects is encrypted, using one of the following encryption ciphers:

  • AES-128
  • AES-256
  • AES-512
  • RSA-1024
  • RSA-2048

After encrypting the files, they become unusable and [email protected] ransomware ads a custom ID, the e-mail and .crypt as an extension of the encrypted file, for example:

→ New Text [email protected]

When the desperate user contacts the cyber-criminals via the [email protected] e-mail address, they may send the following message as a reply:

→ “Hello, dear friend!
We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection.
We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk.
All your files are encrypted and can not be accepted back without our professional help.
Obviously vulnerability analysis, troubleshooting, decoding the information and then ensuring safety are not a simple matter.
And so our high-grade and quick service is not free.
Please note that today the price of your files recovery is 3 Bitcoins, but next day it will cost 5 Bitcoins.
You should buy bitcoins here https://localbitcoins.com/faq
Read the paragraphs:
1. How to buy Bitcoins?
2. How do I send Bitcoins and how can I pay with Bitcoins after buying them?
The Bitcoin wallet for payment is 12yDGpp82ejLqT6GbE4qAPtCYAKRpksbWd
After the transfer of bitcoins please send email with screenshot of the payment page.
We does not advise you to lose time, because the price will encrese with each passing day.
As proof of our desire and readiness to help you, we can decipher a few of your files for test.
To check this you can upload any 1 encrypted file on web site dropmefiles.com, size no more than 10 MB (only 1 text file or a photo) and send us a download link.
Certainly after payment we guarantee prompt solution of the problem, decrypt the database to return to its former condition and consultation how to secure the rules of the system safety.
Kind regards, Master Lock.” Source:Infected User

This type of ransom messages are often referred to as fake tech support helpers. They are specific because instead of threatening the user, they pretend to be the solution. It is particularly useful against users with less experience especially when it comes to ransomware.

Furthermore, this ransomware even offers to decrypt 1 file which is up to 10 MB for free, to show to the user who is in control and what “must” be done to get the files back. However, security experts strongly advise against paying the ransom and dealing with the threat via a different approach.

Remove [email protected] Ransom Virus and Restore Your Files

To remove this ransomware, all you should do is follow our instructions below. They will help you discover the malicious files and registry objects belonging to [email protected] ransomware. In case you are having difficulties in manually discovering the malicious objects, experts recommend using an advanced anti-malware tool and scanning your computer in safe mode, as shown below. This will help automatically detect everything associated with the virus and remove it surgically without affecting your files.

In case you wish to restore your files, we strongly advise following the instructions of step “3. Restore files encrypted by [email protected] below. From those instructions, we recommend running the Rannoh Decrypter by Kaspersky since this ransomware belongs to the Rannoh variants. If one file does not work with the decrypter, be advised that you should keep trying with different files until you find a password (key) with which you can restore the other locked files as well. We also recommend that you choose files with smaller sizes first and set your computer to be always awake and not to automatically Hybernate or Sleep since the decryption process may take from hours up to days.

Manually delete [email protected] from your computer

Note! Substantial notification about the [email protected] threat: Manual removal of [email protected] requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove [email protected] files and objects
2. Find malicious files created by [email protected] on your PC
3. Fix registry entries created by [email protected] on your PC

Automatically remove [email protected] by downloading an advanced anti-malware program

1. Remove [email protected] with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by [email protected] in the future
3. Restore files encrypted by [email protected]
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.