Remove MENSAGEM.txt Crypto-Malware and Restore .lock Encrypted Files

mesagem-txt-file-ransomwareRansomware infection, named Able, written for Brazilian users has been reported to be on the rise. The ransomwar displays a terrifying picture after which notifies users in its ransom note that their files are encrypted. The Brazillian ransomware also adds a “.lock” extension to the files which have been encoded. Researchers have reported that a very strong algorithm has been used(AES-256) which prevents users from accessing their files. Infected users are advised NOT to pay any ransom money demanded by the criminals and wait for alternative solutions. We will post and update here as soon as they are released, so we advise following this article. In the meantime, you may want to remove the ransomware and try restoring your files using the methods which have been provided after this article.

Threat Summary

NameAble
TypeRansomware
Short DescriptionThe ransomware encrypts files with a strong cipher and asks a ransom for decryption in Brasilian.
SymptomsFiles are encrypted with the .lock file extension and the AES-256 cipher and become inaccessible. A ransom note with instructions for paying the ransom shows as a “MESAGEM.txt” file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Able

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Able Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The Able Ransomware – How Is It Distributed

To successfully spread it across computers, the cyber criminals may use different strategies:

  • Infected flash drives.
  • Infected e-mail archives and other attachments such as Microsoft Documents that are spread via malicious macros.
  • Malicious web links spread across users via different types of spam messages.

Users should be aware of any method that the crooks behind the Brazilian ransomware may use and scan every web link and file they believe is suspicious using VirusTotal before they open it. We also recommend following our security tips for maximum future protection.

The Able Ransomware In Detail

Similar to the Italian Bloccato Ransomware it has been executed on the computer, the Brazilian crypto malware may situate various files in the following Windows locations:

commonly used file names and folders

After this has been done, the malware may execute its malicious modules, and they may have different functions. One of the functions may be to modify the following Windows Registry Entries:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

This may be done by the Brazilian ransomware to make its malicious file that encrypts the data on the compromised device to run automatically, usually when you restart your computer. Once this file runs, it may begin to scan for and encrypt files with different file extensions, such as the following examples:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After encrypting the files of the compromised computer, the ransomware adds the .lock file extension to the encrypted files of the compromised computer, for example:

→ Picture.jpg.lock

After the files have been encrypted, the virus drops a “MESAGEM.txt” file on the desktop or on the folders with encrypted files. It contains the following ransom note:

Original:
TODOS OS SEUS ARQUIVOS FORAM BLOQUEADOS !
PARA DESBLOQUEAR SUAS INFORMAÇÕES, ACESSE O LINK: http://is.gd/comunicado1
mesagem-txt-ransom-note-sensorstechforumou http://is.gd/comunicado2
ou http://is.gd/comunicado3
Translated:
ALL YOUR FILES WERE LOCKED!
TO UNLOCK YOUR INFORMATION, VISIT THE LINK: http://is.gd/comunicado1
or http://is.gd/comunicado2
or http://is.gd/comunicado3

Not only this, but the .lock malware also sets the following message as a wallpaper on the infected computer:

encrypted-ransom-note-Brazillian-ransomware-sensorstechforum

The message from the wallpaper roughly translates to the following:

→ “All your files were locked !!!
So the decryption is the same, go to the ‘message’ file created on your desktop, after accessing instructions follow them for the release of all your files!
If you do not follow the steps, your entire database will be deleted !!!
Without following the message instructions and impossible the recovery of files !!!!”

Able Ransomware – Summary, Removal, and File Decryption of .lock Files

Malware researchers strongly believe that this devastating ransomware variant is a part of the HiddenTear project. The creators of the ransomware most likely aim at Brazilian or Portuguese computers. They do not fool around, threatening users to lock their computer if they do not pay money to restore their files.

However, in case you have been infected by .lock Brazilian ransomware, we advise you to not pay the ransom amount In any circumstances, because this way you assist the malware developers by funding the development of the virus and you may also not get your files back. This is why we strongly recommend you to follow the instructions below to remove the Brazilian Ransomware from your computer.

Regarding file decryption, researchers like Demonslay335 strongly recommend to infected users to try the free tools to BruteForce and decrypt files encrypted by the ransomware:

HiddenTear BruteForcer
HiddenTear Decrypter

If those solutions do not work for you, you may also want to review the alternative methods for file reverting, posted in step “3. Restore files Encrypted by .Lock Ransomware”.

Manually delete Able from your computer

Note! Substantial notification about the Able threat: Manual removal of Able requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Able files and objects
2.Find malicious files created by Able on your PC
3.Fix registry entries created by Able on your PC

Automatically remove Able by downloading an advanced anti-malware program

1. Remove Able with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Able in the future
3. Restore files encrypted by Able
Optional: Using Alternative Anti-Malware Tools
Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.