Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Okean-1955 Ransomware and Restore .Xtbl Encrypted Files

ransomware-on-focus-sensorstechforumRansom virus which contains the e-mail address [email protected] is believed to be a part of a large ransomware family, known as the Xtbl variants. This is an extremely dangerous ransomware, since, at this point, there is no relevant decrypter for the files encoded by the virus. The ransomware, known as Okean-1955 is also reported to focus primarily on hitting enterprises, mainly SQL Server databases. One infected user has reported at Emsisoft forums to see an infection of an SQL server database and Okean-1955 encoded data of over 10000 customers, 15 branches and three years’ worth of information. Not only this, but the virus destroys backup, according to reports. All users who have had their systems infected with this ransomware virus, are strongly advised not to contact the e-mail address and not to cope with the terms of meeting the deadline of 24 hours given by the crooks. Instead, we strongly advise to read this article below and explore your options regarding removing this Xtbl variant and attempting to restore your files.

Threat Summary

NameOkean-1955
TypeRansomware
Short DescriptionOkean-1955 encrypts files with a strong cipher and leaves a ransom note asking to contact the cyber-criminals’ e-mail for further payoff instructions in return for the files.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a HOW TO DECRYPT FILES.txt file.
Distribution MethodSpam Emails, Email Attachments, Social Media/td>
Detection Tool See If Your System Has Been Affected by Okean-1955

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Okean-1955 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Okean-1955 Ransomware – How Does It Replicate

To be widespread across computers and SQL servers and infect them, Okean-1955 may use advanced techniques to bypass protection. One of those techniques is the obfuscation of malicious executables which can conceal the executable when it has been activated from any real-time shields that may be locally running on the affected machine. In addition to this, Okean-1955 Ransomware may spread via malicious web links as well. Such web links may be legitimate when checked for viruses, but they may cause redirects to malicious links, that may infect users via an Exploit Kit, drive-by downloads as well as malicious JavaScript. E-mails sent out by cyber-criminals may be of a different character, resembling legitimate organizations, for example, this fake e-mail spam pretending to be a person adding you to his Linked In circles:

fake-linked-in-sesnorsdtechforum

Okean-1955 Ransomware – More Information

The payload which has been dropped by Okean-1955 may be located in the following key Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalRow%
  • %Windows%
  • %System%
  • %System32%
  • %Temp%

The files may be more than one and they are usually of the following types:

.exe, .dll, .tmp, .vbs, .bat, .cmd

Usually, cyber-criminals either give the malicious files random names of A-Z 0-9 symbols or they mask them to resemble a legitimate process of Windows or a program installed on the computer, like “svchost.exe” for example which is a legitimate Windows process and stays in Task Manager at all times.

The Okean-1955 ransomware may also heavily modify the Windows Registry Editor, making it run on system startup and encrypt the files of the compromised compute. Simlar to other XTBL variants, Okean-1955 may seek and encrypt the following file types:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

So far it is unknown what type of encryption Okean-1955 specifically uses, but we can say for sure that the XTBL variants include various options for choice of encryption mechanisms to add. With other XTBL ransomware viruses, like Crysis Ransomware, it has been seen that the following mechanisms for encoding data were used:

AES Cipher – Advanced Encryption Standard

It is utilized primarily by the government agencies, such as the NSA, which classify it in the Suite.B category, used to encrypt “eyes only” types of files. The direct decoding by AES ciphered files may take unimaginably long time even if performed by a powerful machine.

RSA Cipher – Rivest-Shamir-Adleman

Encoding by this cipher is very similar in decryption possibility with the AES cipher, and this is why it is in the same category. It uses a unique decryption key and in this particular case, it may have been used to encrypt the actual decryption key, automatically generated for the AES encrypted files.

CBC Mode – Cipher Block Chaining

Here is where the situation becomes critical and serious. Whereas the encryption algorithms simply scramble the files’ code, this mode is like a defensive mechanism against users who try to descramble those files. This “mode” uses the so-called “blocks” of encrypted code and uses Initialization Vector to separate and strengthen those blocks of ciphered code. These combined with a chaining mechanism which breaks the file if you try to decrypt it permanently are the perfect insurance to the cyber-criminals that you will pay the ransom.

Not only this but to create additional mess, Okean-1955, may delete the Shadow Volume Copies of the infected machine by executing the following command via a malicious script with Escalated privileges:

vssadmin delete shadows /for={VOLUME OF THE PC} /all /quiet

After encryption of the files, Okean-1955 adds custom identification symbols, the .okean file extension and of course, the typical .xtbl extension in the end. Here is how an encrypted file looks like:

A [email protected]

The ransomware is then reported to leave the following ransom note behind in a HOW TO DECRYPT FILES.txt:

“Все ваши файлы зашифрованы!!!!
для расшифровки обращаться на почту [email protected]
у вас есть 24 часа. после 24 часов расшифровку сделать сложнее.
All your files are encrypted!!!!
decryption handle mail [email protected]
you have 24 hours. after 24 hours to make decryption difficult.”

Okean-1955 Ransomware – Conclusion, File Restoration, and Removal

The bottom line is that this is yet another ransomware variant from a very popular ransomware family that has done quite the damage to organizations as well as home users globally. Other viruses like it include the Redshitline Ransomware, Crysis XTBL Ransomware, Ecovector Ransomware, Troldesh Ransomware, DataStorm Ransomware and others. This strongly suggests that to be widespread on this level, this virus must be sold on the underground web markets of the deep web or other places as well. Whatever the case may be, we strongly advise against paying any form of ransom money to cyber-criminals, because you support their organization by making it richer, and a free decrypter may be released sooner than expected.

To remove Okean-1955, we strongly advise you to follow the instructions which we have posted after this article. They are methodologically arranged to contribute to the effective removal process of this crypto-virus.

To try and restore your files, we urge you not to attempt direct decryption and not to use other decryptors, unless researchers provide a working one. Instead, you may want to try and use alternative methods, like the ones mentioned below in step “3. Restore files encrypted by Okean-1955”.

Manually delete Okean-1955 from your computer

Note! Substantial notification about the Okean-1955 threat: Manual removal of Okean-1955 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Okean-1955 files and objects
2.Find malicious files created by Okean-1955 on your PC
3.Fix registry entries created by Okean-1955 on your PC

Automatically remove Okean-1955 by downloading an advanced anti-malware program

1. Remove Okean-1955 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Okean-1955 in the future
3. Restore files encrypted by Okean-1955
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.