Remove Ransomware and Restore .777 Encrypted Files - How to, Technology and PC Security Forum |

Remove [email protected] Ransomware and Restore .777 Encrypted Files

2016-051919-1952-99.2It appears that Ninja ransomware may be back and this time it uses [email protected], [email protected] and [email protected] cyber-criminal addresses. The ransomware does not even use a ransom note, instead leaving the Ninja.Gaiver e-mail address on the files it encrypts. The encrypted files are with a .777 file extension, and the encryption algorithm is believed by researchers to be a XOR mask. Users who have been affected by this nasty ransomware virus are warned to immediately remove it and try restoring their files using alternative methods such as the ones at the end of this article.

UPDATE! A derypter for .777 has been developed by researchers at EmsiSoft. You may download and use it by clicking the following web link:
Emsisoft Decrypter for 777 Files.

Threat Summary

Short DescriptionThe ransomware encrypts files with a XOR mask and asks a ransom for decryption.
SymptomsFiles are encrypted with the .777 file extension added to them along with the email address and become inaccessible. A ransom note with instructions for paying the ransom shows is added as a file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Ninja.Gaiver


Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Ransomware – Distribution

Similar to the older variant of Ninja Ransomware, this variant may slip past the antivirus by using an obfuscated malicious executable. Such may be spread via several methods:

Via an infected flash drive – most users may become victims of a malicious flash drive inserted on their computer that may take advantage of the Windows AutoPlay function.

By downloading content from unknown websites – such sites, for example, unknown torrent websites may contain ripped software that may have a key generator(keygen) or a crack(exe) file that is usually used to crack the application and let users use it for free. However these are also a perfect bait for the user and malware writers know that.

By becoming a victim to a drive-by download – such downloads may usually be caused by visiting malicious URL web links that may be displayed to the user as a consequence of having a PUP (Potentially Unwanted Application or Adware) such as DNS Unlocker, for example, installed on their computer.

[email protected] Ransomware – More About It

Once it has been executed on your computer, Ninja.Gaiver Ransomware may download a malicious executable on your computer. It could be located in different places, but the usually targeted locations are:

commonly used file names and folders

The malicious file may be of several different file types:

→ .dll; .tmp; .bat; .exe; .vbs; .reg;

It may contain different names, for example:

  • Adobe-Updater.exe
  • Setup.exe
  • {298h128-d3b0bfn30}.exe
  • Aaaa.tmp
  • Pac-man.dll

Besides that, Ninja.Gaiver Ransomware may create a registry entry for the malicious executable, allowing it to run and encrypt files every time you start your Windows. The targeted key in the Windows Registry Editor is the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Furthermore, the ransomware may execute the following command to delete your shadow volume copies:

→ vssadmin delete shadows /for={Your volume} /all /shadow={ID}] /quiet

Then, the Ninja.Gaiver Ransomware may begin to scan for and encrypt files with the following file extensions, for example:

→ .3ds .4db .4dd .7z .7zip .accdb .accdt .aep .aes .ai .alk .arj .axx .bak .bpw .cdr .cer .crp .crt .csv .db .dbf .dbx .der .doc .docm .docx .dot .dotm .dotx .drc .dwfx .dwg .dwk .dxf .eml .enz .fdb .flk .flka .flkb .flkw .flwa .gdb .gho .gpg .gxk .hid .hid2 .idx .ifx .iso .k2p .kdb .kdbx .key .ksd .max .mdb .mdf .mpd .mpp .myo .nba .nbf .nsf .nv2 .odb .odp .ods .odt .ofx .ost .p12 .pdb .pdf .pfx .pgp .ppj .pps .ppsx .ppt .pptx .prproj .psd .pst .psw .qba .qbb .qbo .qbw .qfx .qif .rar .raw .rfp .rpt .rsa .rtf .saj .sdc .sdf .sef .sko .sql .sqlite .sxc .tar .tax .tbl .tc .tib .txt .wdb .xbrl .xls .xlsm .xlsx .xml .zip Source: Symantec

After doing so, the Ninja.Gaiver ransomware adds the .777 file extension to the encrypted files along with its aol e-mail address. An encrypted file is reported by infected users to look like the following:

→ New Text Document.txt.{date-and-time-of-encryption}[email protected](or one of the other e-mails)$.777

Ninja.Gaiver Ransomware – Conclusion and Removal

The bottom line for the Ninja.Gaiver ransomware is that it was created for one purpose – to contact the [email protected] e-mail address so that you can be provided with instructions, negotiate the price to decode your files and even ask the cyber-crooks to decrypt a file for free. We strongly advise against paying any ransom money and removing this threat, because first you fund the cyber-criminals to develop this malware and second you may not get your files 100% back.

To remove this ransomware, be advised that you are welcome to try our removal instructions since they are methodologically arranged to help your situation and delete it. In case you want to have maximum effectiveness while removing and remain protected in the future as well, you should download an advanced anti-malware software which will detect all associated files and registry entries and remove them.

To decrypt your files, fortunately there has been a decryptor released by Emsisoft researchers. You may find it if you click on the link above the table of information at the start of this article. Also, you may also find useful the alternative methods that “go around” direct decryption. All of the restoration methods can be found in the step “Restore files encrypted by Ninja.Gaiver” below just in case the decryptor does not work for you.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website


  1. Arvind Chouhan

    Any update on how to decrypt those files?

    1. Vencislav Krustev

      Hello, Arvind

      As written in the “Update” window in the first paragraph, there has been a decryptor released for victims of the .777 ransomware. You can download it from the EmsiSoft URL below(It’s free):

      1. Arvind Chouhan

        Thanks for your reply. I tried that but it seems that we are unable to restore our data. BTW thanks for your blog and reply. :)

        1. Vencislav Krustev

          Don’t hesitate to open a topic on our forum if you have any tech-related questions. We will reply as soon as able : )

          1. Nick

            Hi Venci,

            Ima li reshene za dekodiarane na [email protected] files?


          2. Vencislav Krustev (Post author)

            Привет, Ник

            За момента, на Емсисофт декриптора би трябвало да работи. Безплатен е. Можеш да си го изтеглиш от този уеб линк:

        2. Dennis

          The “encryption” is a simple xor mask. You should be able to restore your files rather easily.

          1. Colin

            our data has been encrypted with the extension xtbl (using the email address [email protected][email protected] I have a .777 decrypter which doesn’t work but is this the same variant do you know?? thanks in advance!

          2. Dennis

            I’ve seen two variants of the 777 ransomware. One encrypts with a simple 0x37 XOR mask. This is the version that emisoft’s decryptor will undo. The other is slightly more sophisticated and uses a 0x2021222324252627 XOR mask. Other variants may use different masks. If you have an unencrypted version of a file, you can compare it to the encrypted one to find the actual mask used. Then, it’s a simple matter (for a programmer) to restore all your originals. Even if you don’t have any unencrpted versions of files to compare against, examining either an encrypted text file, or a file that might have a lot of zeros (in the original) should readily reveal the mask used.
            Please don’t hesitate with any further questions…

          3. Colin

            Thanks so much for your reply. I do have an unencrypted copy of one of the files which I found yesterday. Who would you suggest I look to contact now that I have both before and after decrypted files? I presume this may possibly help to decrypt the files

          4. Dennis

            If you can XOR the two files together, that will give you the mask, which you can use to decrypt the files. If you are familiar with pretty much any programming language, or know someone who is, this should be fairly simple.

          5. Francesco

            Hi Dennis, i have just taken Ninja Gaiver ransom, have you got one mail where i can send you a file to see if you can help me? I have a copy of a clean file and a copy of a encripted. I will pay you the service or can make some try if you explain me better how. Hope in your help.

          6. Dennis

            Francesco, you can e-mail me your files at [email protected]. I can take a look at them, but can’t promise anything.

  2. SensorsTechForumSensorsTechForum

    Hi Bashir,

    Unfortunately, this is a new ransomware from the XTBL family for which there is no way to decrypt files. Read more about it here:

    Kaspersky and Emsisoft decryptors didn’t work with your files. However, you can still try and recover your data via software recovery tools. Let us know if you have more questions!


    1. Dennis

      Before accepting this answer, it may be worth your while to do a little more research. Note that this page also called the 777 encryption “one of the strongest used” when in fact it is trivial.

      1. SensorsTechForumSensorsTechForum

        Hello Dennis,

        Actually, Bashir sent us a couple of files and that’s how we knew he’s been infected with a new variant of XTBL ransomware. Because we’re always willing to help victims of ransomware, we tried the available EmsiSoft decrypter and it didn’t work. If you have any useful information, we’d be more than happy to continue this conversation.

        Stay tuned,


        1. Dennis

          Yes, but some versions of the 777 were also not decrypted by either the Kaspersky or Emsisoft decrypters. None the less, the decryption was simple: an 0x2021222324252627 XOR mask. It should be easy to detect if an XOR mask is being used, and, if so, what that mask is. First, check if your encrypted and unencrypted files are the same size. If so, XOR the files together and see if the XOR mask appears. Then, apply the XOR mask and voila, your files are decrypted.

  3. Je Be

    I paid 3 bitcoins (about $1800) to the hackers, got the odd reply but DID NOT get the code to decrypt. Total waste of money on a big time a-hole, spend your time and cash elsewhere, not all hackers come through when you pay up. Mine was [email protected]

    1. Milena Dimitrova

      Hi Je Be,

      Thank you for the warning! We suppose that your data was quite valuable and that’s why you decided to proceed with the payment.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share