Ransom virus which contains the e-mail address [email protected] is believed to be a part of a large ransomware family, known as the Xtbl variants. This is an extremely dangerous ransomware, since, at this point, there is no relevant decrypter for the files encoded by the virus. The ransomware, known as Okean-1955 is also reported to focus primarily on hitting enterprises, mainly SQL Server databases. One infected user has reported at Emsisoft forums to see an infection of an SQL server database and Okean-1955 encoded data of over 10000 customers, 15 branches and three years’ worth of information. Not only this, but the virus destroys backup, according to reports. All users who have had their systems infected with this ransomware virus, are strongly advised not to contact the e-mail address and not to cope with the terms of meeting the deadline of 24 hours given by the crooks. Instead, we strongly advise to read this article below and explore your options regarding removing this Xtbl variant and attempting to restore your files.
|Short Description||Okean-1955 encrypts files with a strong cipher and leaves a ransom note asking to contact the cyber-criminals’ e-mail for further payoff instructions in return for the files.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a HOW TO DECRYPT FILES.txt file.|
|Distribution Method||Spam Emails, Email Attachments, Social Media/td>|
|Detection Tool|| See If Your System Has Been Affected by Okean-1955 |
Malware Removal Tool
|User Experience||Join our forum to Discuss Okean-1955 Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Okean-1955 Ransomware – How Does It Replicate
Okean-1955 Ransomware – More Information
The payload which has been dropped by Okean-1955 may be located in the following key Windows folders:
The files may be more than one and they are usually of the following types:
Usually, cyber-criminals either give the malicious files random names of A-Z 0-9 symbols or they mask them to resemble a legitimate process of Windows or a program installed on the computer, like “svchost.exe” for example which is a legitimate Windows process and stays in Task Manager at all times.
The Okean-1955 ransomware may also heavily modify the Windows Registry Editor, making it run on system startup and encrypt the files of the compromised compute. Simlar to other XTBL variants, Okean-1955 may seek and encrypt the following file types:
So far it is unknown what type of encryption Okean-1955 specifically uses, but we can say for sure that the XTBL variants include various options for choice of encryption mechanisms to add. With other XTBL ransomware viruses, like Crysis Ransomware, it has been seen that the following mechanisms for encoding data were used:
AES Cipher – Advanced Encryption Standard
It is utilized primarily by the government agencies, such as the NSA, which classify it in the Suite.B category, used to encrypt “eyes only” types of files. The direct decoding by AES ciphered files may take unimaginably long time even if performed by a powerful machine.
RSA Cipher – Rivest-Shamir-Adleman
Encoding by this cipher is very similar in decryption possibility with the AES cipher, and this is why it is in the same category. It uses a unique decryption key and in this particular case, it may have been used to encrypt the actual decryption key, automatically generated for the AES encrypted files.
CBC Mode – Cipher Block Chaining
Here is where the situation becomes critical and serious. Whereas the encryption algorithms simply scramble the files’ code, this mode is like a defensive mechanism against users who try to descramble those files. This “mode” uses the so-called “blocks” of encrypted code and uses Initialization Vector to separate and strengthen those blocks of ciphered code. These combined with a chaining mechanism which breaks the file if you try to decrypt it permanently are the perfect insurance to the cyber-criminals that you will pay the ransom.
Not only this but to create additional mess, Okean-1955, may delete the Shadow Volume Copies of the infected machine by executing the following command via a malicious script with Escalated privileges:
After encryption of the files, Okean-1955 adds custom identification symbols, the .okean file extension and of course, the typical .xtbl extension in the end. Here is how an encrypted file looks like:
The ransomware is then reported to leave the following ransom note behind in a HOW TO DECRYPT FILES.txt:
Okean-1955 Ransomware – Conclusion, File Restoration, and Removal
The bottom line is that this is yet another ransomware variant from a very popular ransomware family that has done quite the damage to organizations as well as home users globally. Other viruses like it include the Redshitline Ransomware, Crysis XTBL Ransomware, Ecovector Ransomware, Troldesh Ransomware, DataStorm Ransomware and others. This strongly suggests that to be widespread on this level, this virus must be sold on the underground web markets of the deep web or other places as well. Whatever the case may be, we strongly advise against paying any form of ransom money to cyber-criminals, because you support their organization by making it richer, and a free decrypter may be released sooner than expected.
To remove Okean-1955, we strongly advise you to follow the instructions which we have posted after this article. They are methodologically arranged to contribute to the effective removal process of this crypto-virus.
To try and restore your files, we urge you not to attempt direct decryption and not to use other decryptors, unless researchers provide a working one. Instead, you may want to try and use alternative methods, like the ones mentioned below in step “3. Restore files encrypted by Okean-1955”.