How Can I Remove NegozI Ransomware and Decrypt .evil Files?

How Can I Remove NegozI Ransomware and Decrypt .evil Files?

malware-infections-sensorstechforumReports have appeared about a new crypto virus, called NegozI ransomware. According to victims, the ransomware appends “.evil” extension to encrypted files and demands a payment in exchange for their decryption. Because of the extension it adds, some victims may refer to the threat as “.evil ransomware” or “.evil virus”. Another possible name for the ransomware is “[email protected](.)me ransomware” – after the email address provided in the ransom note. Due to the similar ransom notes, researchers suspect that NegozI ransomware has something in common with Sanction ransomware. The two ransomware pieces may be operated by the same individual or group of individuals.

Threat Summary

NameNegozI Ransomware
TypeRansomware
Short DescriptionThe ransomware encrypts files and appends an ‘.evil’ extension.
SymptomsFiles are enciphered and become inaccessible. A text file with ransom instructions is added.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by NegozI Ransomware

Download

Malware Removal Tool

User ExperienceJoin our forum to discuss NegozI Ransomware
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is NegozI Ransomware Spread?

Ransomware viruses typically rely on several distribution vectors:

  • Spam emails and malicious email attachments or corrupted links;
  • Social networks and file sharing services.

Keep in mind that if you open a malicious attachment, the malware can be injected automatically. Malicious code can also be ‘hidden’ in the text of the email itself which means that you can get infected just by opening the message, without the need of further interaction.

More sophisticated ransomware viruses can be distributed via exploit kits. However, it’s not reported that NegozI is spread this way.

You should also be careful with file sharing services, p2p networks and social networks, as malware and ransomware operators may exploit them to spread their payload to as many users as possible.

Torrent websites are often at fault for the distribution of Trojan horses. That being said, ransomware such as Negozl may be distributed with the help of Trojans.

Technical Details about NegozI Ransomware and .Evil Extension

At this moment, not much information is available about Negozl ransomware. When your computer is infected, an executable or a type of batch file is usually created, and the ransomware could make new entries in the Windows Registry.

The executable can be generated on a random basis so that it has a different name on every system. Keep in mind that modifications in the Windows Registry are usually created in the following registry entries:

→HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon/Shell

and

→HKLM/Software/Microsoft/Windows/CurrentVersion/Run/

This way, the ransomware may load automatically upon every system restart.

This is the ransom note dropped by NegozI, according to research:

All your files have been encrypted with NegozI Ransomware.
For each file unique ,strong key. Algorithm AES256
All your attempts to restore files on their own, lead to the loss of the possibility of recovery and we are not going to help you.
All your actions are traced and known to us.

If you do not make payment within 5 days, you will lose the ability to decrypt them.
Make your Bitcoin Wallet on: https://www.coinbase(.)com/ , https://block.io or http://blockchain(.)info
How to buy /sell and send Bitcoin:
1)https://support.coinbase.com/customer/en/portal/topics/[NUMBERS]-payment-method-verification/articles
2)https://support.coinbase.com/customer/en/portal/topics/[NUMBERS]-buying-selling-bitcoin/articles
3)https://support.coinbase.com/customer/en/portal/topics/[NUMBERS]-sending-receiving-bitcoin/articles

After the payment, send the wallet from which paid and your uniq ID to mail : [email protected](.)me
After receiving the payment, we will contact and give you decryption tools and faq how to decrypt your files.

NegozI Ransomware Removal Instructions

If you have been infected by NegozI ransomware, you should consider following the removal instructions below the article.

Manually delete NegozI Ransomware from your computer

Note! Substantial notification about the NegozI Ransomware threat: Manual removal of NegozI Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove NegozI Ransomware files and objects
2.Find malicious files created by NegozI Ransomware on your PC
3.Fix registry entries created by NegozI Ransomware on your PC

Automatically remove NegozI Ransomware by downloading an advanced anti-malware program

1. Remove NegozI Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by NegozI Ransomware in the future
3. Restore files encrypted by NegozI Ransomware
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.