Remove [email protected] Ransomware and Restore .777 Encrypted Files

2016-051919-1952-99.2It appears that Ninja ransomware may be back and this time it uses [email protected], [email protected] and [email protected] cyber-criminal addresses. The ransomware does not even use a ransom note, instead leaving the Ninja.Gaiver e-mail address on the files it encrypts. The encrypted files are with a .777 file extension, and the encryption algorithm is believed by researchers to be a XOR mask. Users who have been affected by this nasty ransomware virus are warned to immediately remove it and try restoring their files using alternative methods such as the ones at the end of this article.

UPDATE! A derypter for .777 has been developed by researchers at EmsiSoft. You may download and use it by clicking the following web link:
Emsisoft Decrypter for 777 Files.

Threat Summary

Short DescriptionThe ransomware encrypts files with a XOR mask and asks a ransom for decryption.
SymptomsFiles are encrypted with the .777 file extension added to them along with the email address and become inaccessible. A ransom note with instructions for paying the ransom shows is added as a file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Ninja.Gaiver


Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Ransomware – Distribution

Similar to the older variant of Ninja Ransomware, this variant may slip past the antivirus by using an obfuscated malicious executable. Such may be spread via several methods:

Via an infected flash drive – most users may become victims of a malicious flash drive inserted on their computer that may take advantage of the Windows AutoPlay function.

By downloading content from unknown websites – such sites, for example, unknown torrent websites may contain ripped software that may have a key generator(keygen) or a crack(exe) file that is usually used to crack the application and let users use it for free. However these are also a perfect bait for the user and malware writers know that.

By becoming a victim to a drive-by download – such downloads may usually be caused by visiting malicious URL web links that may be displayed to the user as a consequence of having a PUP (Potentially Unwanted Application or Adware) such as DNS Unlocker, for example, installed on their computer.

[email protected] Ransomware – More About It

Once it has been executed on your computer, Ninja.Gaiver Ransomware may download a malicious executable on your computer. It could be located in different places, but the usually targeted locations are:

commonly used file names and folders

The malicious file may be of several different file types:

→ .dll; .tmp; .bat; .exe; .vbs; .reg;

It may contain different names, for example:

  • Adobe-Updater.exe
  • Setup.exe
  • {298h128-d3b0bfn30}.exe
  • Aaaa.tmp
  • Pac-man.dll

Besides that, Ninja.Gaiver Ransomware may create a registry entry for the malicious executable, allowing it to run and encrypt files every time you start your Windows. The targeted key in the Windows Registry Editor is the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Furthermore, the ransomware may execute the following command to delete your shadow volume copies:

→ vssadmin delete shadows /for={Your volume} /all /shadow={ID}] /quiet

Then, the Ninja.Gaiver Ransomware may begin to scan for and encrypt files with the following file extensions, for example:

→ .3ds .4db .4dd .7z .7zip .accdb .accdt .aep .aes .ai .alk .arj .axx .bak .bpw .cdr .cer .crp .crt .csv .db .dbf .dbx .der .doc .docm .docx .dot .dotm .dotx .drc .dwfx .dwg .dwk .dxf .eml .enz .fdb .flk .flka .flkb .flkw .flwa .gdb .gho .gpg .gxk .hid .hid2 .idx .ifx .iso .k2p .kdb .kdbx .key .ksd .max .mdb .mdf .mpd .mpp .myo .nba .nbf .nsf .nv2 .odb .odp .ods .odt .ofx .ost .p12 .pdb .pdf .pfx .pgp .ppj .pps .ppsx .ppt .pptx .prproj .psd .pst .psw .qba .qbb .qbo .qbw .qfx .qif .rar .raw .rfp .rpt .rsa .rtf .saj .sdc .sdf .sef .sko .sql .sqlite .sxc .tar .tax .tbl .tc .tib .txt .wdb .xbrl .xls .xlsm .xlsx .xml .zip Source: Symantec

After doing so, the Ninja.Gaiver ransomware adds the .777 file extension to the encrypted files along with its aol e-mail address. An encrypted file is reported by infected users to look like the following:

→ New Text [email protected](or one of the other e-mails)$.777

Ninja.Gaiver Ransomware – Conclusion and Removal

The bottom line for the Ninja.Gaiver ransomware is that it was created for one purpose – to contact the [email protected] e-mail address so that you can be provided with instructions, negotiate the price to decode your files and even ask the cyber-crooks to decrypt a file for free. We strongly advise against paying any ransom money and removing this threat, because first you fund the cyber-criminals to develop this malware and second you may not get your files 100% back.

To remove this ransomware, be advised that you are welcome to try our removal instructions since they are methodologically arranged to help your situation and delete it. In case you want to have maximum effectiveness while removing and remain protected in the future as well, you should download an advanced anti-malware software which will detect all associated files and registry entries and remove them.

To decrypt your files, fortunately there has been a decryptor released by Emsisoft researchers. You may find it if you click on the link above the table of information at the start of this article. Also, you may also find useful the alternative methods that “go around” direct decryption. All of the restoration methods can be found in the step “Restore files encrypted by Ninja.Gaiver” below just in case the decryptor does not work for you.

Manually delete Ninja.Gaiver from your computer

Note! Substantial notification about the Ninja.Gaiver threat: Manual removal of Ninja.Gaiver requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Ninja.Gaiver files and objects
2.Find malicious files created by Ninja.Gaiver on your PC
3.Fix registry entries created by Ninja.Gaiver on your PC

Automatically remove Ninja.Gaiver by downloading an advanced anti-malware program

1. Remove Ninja.Gaiver with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Ninja.Gaiver in the future
3. Restore files encrypted by Ninja.Gaiver
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.