Ransomware virus, resembling very much TeslaCrypt and Locky ransomware, named Ransomcuck has been reported to lock affected users’ files using the AES and RSA encryption algorithms. The virus uses the .ransomcuck and .cuck file extensions after it enciphers the files of an infected computer. It then, leaves several ransom notes and users who have become victims of this virus are strongly advised not to pay any money requested by the cyber-criminals in those notes. Since this is a very devastating threat, at the moment, we strongly advise removing it and trying to decrypt encrypted files using the alternative methods in this article while an actual decryptor is released.
|Short Description||The ransomware seeks to encrypt files that are often used. You are given a deadline to pay, otherwise the price rises.|
|Symptoms||The ransomware encrypts files, changing thier extensions to .cuck or .ransomcuck. After that it shows a ransom note as your desktop background and in a pop-up window on your desktop.|
|Distribution Method||Spam Emails, File Sharing Networks, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by Ransomcuck |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Ransomcuck.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Ransomcuck Virus – How Does It Infect
To conduct an attack, Ransomcuck’ malicious payload needs to be dropped on the targeted computer. This can happen in two main ways – via a malicious file that is disguised to trick users into opening it or via a malicious URL that may cause automatic download and execution on the victim PC.
Whatever the case may be, the virus may be spread via spam e-mail messages that may contain both – the URLs or malicious attachments. Once it has been sent out massively to a pre-programmed list of e-mail addresses the messages containing the malicious files may vary. For example, one spam message may claim that the user has paid for an order and provide an “Invoice” which could be the malicious file. But there may also be messages, saying the user has been added as a friend on Facebook with a fake “See More” button that instead of leading to Facebook, may transfer the user to a malicious web link that can cause the infection
Ransomcuck Ransomware In Detail
Once Ransomcuck has been executed on your computer, it may directly drop and execute it’s files without any permission and without you noticing. The malicious files may be more than just one .exe file, and they may be located in the following key Windows folders:
The malicious files of Ransomcuck may contain different names, for example:
Once the Ransomcuck virus is on your computer, it may also attack the Run and RunOnce registry keys, creating value strings with the location of the file encryptor and the ransom notes, so that they are executed every time you start Windows.
After the primary encryption module of the Ransomcuck malware infection has been executed, the virus may look for a variety of file types to encrypt. It looks primarily for files that are important and often used, such as:
- Audio files.
- Video files.
- Files associated with often used programs, like Photoshop, for example.
The Ransomcuck virus is very clever in its actions, skipping important Windows folders to encrypt files in them because this may damage your operating system.
To encrypt the files of it’s victims, the Ransomcuck virus uses the .cuck or .ransomcuck file extensions after the files. Files encrypted by this ransomware, look like the following and cannot be opened by any software:
This is because the Ransomcuck virus uses two of the strongest encryption algorithms out there to scramble the structure code of the files – AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman) ciphers. The AES cipher is being used for one and only purpose to encrypt the files themselves, generating a unique decryption key. This decryption key is then saved and encrypted with the RSA algorithm, and then this information is sent either via TCP or UDP traffic to the servers of the cyber-criminals, making them the only ones in power to unencrypt the files.
After encryption, this virus then leaves behind on the %Desktop% two files:
- How_to_Recover_ Files.html
- How_to_Recover_ Files.txt
The files are reported to contain the following ransom note:
Ransomcuck Virus – Conclusion, Removal, and File Restoration Alternatives
Malware researchers believe that this virus has been created by the same coder who was behind the DetoxCrypto virus. Since they are constantly working and on the lookout for a free decryption method, it is NOT advisable to pay any ransom money to the criminals who are behind this virus. Instead, we advise you to remove it, using the instructions below and try alternative methods to decrypt your files. Bear in mind that for maximum effectiveness while removing Ransomcuck, experts recommend using an advanced anti-malware program. Some alternative techniques can be found in step “3.Restore files encrypted by Ransomcuck” below. These temporary solutions may not be as effective as the actual decryption key, but they are a good method while you wait for a free decryption to be released. We suggest you to check this article often since we are going to update it as soon as there is a free decryptor available.