This article has been created in order to help you by explaining to you how to remove the [email protected] virus which can be encountered via email messages.
The [email protected] virus is the newest strain of the Xorist ransomware family. Like previous strains it modifies the target operating systems in various ways. Its associated ransomware engine appends the .PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only extension to the victim files. Refer to our in-depth instructions for more information about it.
|Type||Scam / Malware|
|Short Description||Silently infects the computer victims and modifies the operating system.|
|Symptoms||The victim’s personal data will be encrypted with the .PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_ extension.|
|Distribution Method||Via e-mail messages that imitate well-known companies .|
|Detection Tool|| See If Your System Has Been Affected by [email protected] |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss [email protected]|
[email protected] virus – Overview
The [email protected] virus is being distributed using the most common tactics. The most popular one is the use of email SPAM messages that rely on the social engineering elements that attempt to blackmail the victims into interacting with the virus element. The virus files are either directly attached or hyperlinked in the body contents. They also serve as the main delivery mechanism for infected payloads. Two of the most common types are the following:
- Infected Software Applications — The hackers take the legitimate application installers of famous software and modify them to include the virus code. Popular targets are system utilities, creativity suites, productivity software and etc. The criminals take the legitimate copies from the official vendor sites and create the virus copies which are then distributed on hacker-controlled sites and attached and/or hyperlinked in the emails.
- Infected Documents — In a similar way the criminals can embed the virus code in files of different types: text files, presentations or spreadsheets. As soon as they are opened by the victims a notification prompt appears which asks the victims to enable the built-in macros (scripts). If this is done the virus infection follows.
The hackers may also create counterfeit download portals that use text and graphics taken from the official web sites. The same or very similar templates, as well as domain names are used in order to fool the victims. In the last few years virus strains have also been distributed widely via file sharing networks such as BitTorrent.
The [email protected] virus can also be distributed via browser hijackers. They represent malicious web browser plugins that are made available for the most popular applications (Mozilla Firefox, Safari, Opera, Google Chrome, Microsoft Edge and Internet Explorer). They are advertised on the relevant software repositories using fake developer credentials and user reviews.
[email protected] virus — Impact and Encryption
The code analysis made on the [email protected] virus shows that it is based on the Xorist ransomware family. The reports indicate that the virus was compiled in March 2018, the fact that the attacks were only recently executed shows that the hackers behind the campaign may have been in process of target selection.
Other email messages that are used by the hackers to label Xorist strains are the following:
Like previous Xorist ransomware samples it uses a modular malicious engine that can be customized according to each attack campaign.
A typical behavior pattern can use a data harvesting module that is able to harvest sensitive data about the victim and their machines. The collected data can then be directed to another module known as stealth protection. It scans the infected computer for signs of security software that can interfere with the virus’s correct execution. It bypasses the relevant anti-virus programs, sandbox environments or debug programs.
When configured properly the [email protected] virus is able to modify the Windows Registry. Depending on the hacker’s instructions it can modify both user-installed applications and entries related to the operating system itself. If software values are modified this can lead to issues launching certain functions. When the operating system is impacted overall system performance can suffer.
Advanced versions can also set up a hacker server connection. It creates a secure connection to a preset hacker-controlled server which is used for setting up a Trojan instance. It is used to remote control the infected machine and spy on the victims in real time. They can also be used to deloy additional threats.
Some variants of the [email protected] virus can be programmed to delete the Shadow Volume Copies of sensitive data which makes data recovery very difficult by using the regular manual methods.
Ransomware like the [email protected] virus can be particularly dangerous as they can be modified to all kinds of sub-strains. Just like the Xorist ransomware family has been responsible for a number of virus releases, so can this particular version be used to create offspring threats.
Once all preset components have executed correctly it starts its built-in ransomware engine. Like previous Xorist ransomware versions it facilitates a built-in list of target file types that are processed with a strong cipher algorithm. The end goal is to make sensitive user data not accessible by the victims. An example list can list the following files:
Once all victim data have been encrypted they will receive a long extension reading the following string …PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only. The accompanying ransom note is created in a file called HOW TO DECRYPT FILES.txt which reads the following:
YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.
DON’T WORRY YOUR FILES ARE SAFE. TO RETURN ALL TO NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.
YOU CAN GET THEM VIA ATM MACHINE OR ONLINE
hxxps://coinatmradar[.]com (find a ATM)
hxxps://www.localbitcoins[.]com (buy instantly online any country)
THE PRICE FOR DECRYPTOR SOFTWARE IS 0.8 BTC BTC ADRESS : [34 random characters] (where you need to make the payment)
VERRY IMPORTANT ! DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA .
ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED. THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE.
For more information : repair_dataMscryptmail.com (24/7)
Subject : SYSTEM-LOCKED-ID: [random number]
An interesting detail is the fact that the latest threats associated with the Xorist ransomware family utilize BitMessage accounts and anonymous email hosting services in order to contact the victims. Some of the detected virus signatures that refer to the [email protected] virus are the following:
- Trojan ( 005338861 )
- a variant of Win32/Kryptik.GHKK
Remove [email protected] virus from Your Computer
In order to make sure that the l virus” scam is fully gone from your computer, we recommend that you follow the removal instructions underneath this article. They have been divided in manual and automatic removal manuals so that they can help you delete this threat based on your malware removal experience. If manual removal is not exactly something that you feel confident in doing, recommendations are to remove this malware or check if it has your infected your computer automatically by downloading and scanning your computer via an advanced anti-malware program. Such software will effectively make sure that your PC is fully secured and you passwords and data remain safe in the future.