Reports have appeared about a new crypto virus, called NegozI ransomware. According to victims, the ransomware appends “.evil” extension to encrypted files and demands a payment in exchange for their decryption. Because of the extension it adds, some victims may refer to the threat as “.evil ransomware” or “.evil virus”. Another possible name for the ransomware is “[email protected](.)me ransomware” – after the email address provided in the ransom note. Due to the similar ransom notes, researchers suspect that NegozI ransomware has something in common with Sanction ransomware. The two ransomware pieces may be operated by the same individual or group of individuals.
|Short Description||The ransomware encrypts files and appends an ‘.evil’ extension.|
|Symptoms||Files are enciphered and become inaccessible. A text file with ransom instructions is added.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by NegozI Ransomware |
Malware Removal Tool
|User Experience||Join our forum to discuss NegozI Ransomware|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Is NegozI Ransomware Spread?
Ransomware viruses typically rely on several distribution vectors:
- Spam emails and malicious email attachments or corrupted links;
- Social networks and file sharing services.
Keep in mind that if you open a malicious attachment, the malware can be injected automatically. Malicious code can also be ‘hidden’ in the text of the email itself which means that you can get infected just by opening the message, without the need of further interaction.
More sophisticated ransomware viruses can be distributed via exploit kits. However, it’s not reported that NegozI is spread this way.
You should also be careful with file sharing services, p2p networks and social networks, as malware and ransomware operators may exploit them to spread their payload to as many users as possible.
Torrent websites are often at fault for the distribution of Trojan horses. That being said, ransomware such as Negozl may be distributed with the help of Trojans.
Technical Details about NegozI Ransomware and .Evil Extension
At this moment, not much information is available about Negozl ransomware. When your computer is infected, an executable or a type of batch file is usually created, and the ransomware could make new entries in the Windows Registry.
The executable can be generated on a random basis so that it has a different name on every system. Keep in mind that modifications in the Windows Registry are usually created in the following registry entries:
This way, the ransomware may load automatically upon every system restart.
This is the ransom note dropped by NegozI, according to research:
All your files have been encrypted with NegozI Ransomware.
For each file unique ,strong key. Algorithm AES256
All your attempts to restore files on their own, lead to the loss of the possibility of recovery and we are not going to help you.
All your actions are traced and known to us.
If you do not make payment within 5 days, you will lose the ability to decrypt them.
Make your Bitcoin Wallet on: https://www.coinbase(.)com/ , https://block.io or http://blockchain(.)info
How to buy /sell and send Bitcoin:
After the payment, send the wallet from which paid and your uniq ID to mail : [email protected](.)me
After receiving the payment, we will contact and give you decryption tools and faq how to decrypt your files.
NegozI Ransomware Removal Instructions
If you have been infected by NegozI ransomware, you should consider following the removal instructions below the article.