A ransomware virus, that has a QR scanning code embedded in it’s ransom note so that a payoff in BitCoin can be paid by scanning the code from a phone with BitCoin wallet app. The virus has been detected in the end of May 2017 and has been reported to be spread only for Chinese users, but this does not mean that it can’t also be spread all over the globe. In case your computer has been infecred by the SmartRansom Chinese virus , we strongly advise you to read this article.
|Short Description||The ransomware encrypts the files on the computers infected by it without adding anything to them. Demands sto scan a QR code for payment to get the files back. (BitCoin payoff)|
|Symptoms||SmartRansom, also known as Chinese ransomware displays a picture of a Chinese photo model and then changes it to the ransom note with the QR code and instructions.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by SmartRansom |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss SmartRansom.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
SmartRansom Virus – Distribution Methods
SmartRansom virus is the type of malware that may be spread via malicious e-mail spam, also known as malspam. Such e-mail messages aim to trick the victim into opening an e-mail attachment which is usually in an archive (.zip, .rar, .etc). The e-mails portray the attachment as an invoice, letter of confirmation or other document that “must be opened immediately”.
In addition to infecting victims using this strategy, the SmartRansom ransomware may also infect a certain computer by taking advantage of fake installers, web injectors from malicious web links sent online and fake updates.
SmartRansom – Analysis
As soon as the infection with this ransomware virus occurs, multiple types of files are dropped on the victim’s computer. These files include the malicious executable of the virus, named SmartRansom.exe, as detected by Payload Security below:
This file aims to read information from the infected computer, like it’s name and GUID. Then it contacts the following two hosts via TCP port 80:
The executable also imports numerous .dll files spread among different Windows locations. These files aim to create registry entries in sub-keys, like the Run and RunOnce keys. This enables the virus to run alongside Windows’s boot process. If those entries are created, you can find them in the following sub-keys:
In addition to this activity, the ransomware also extracts an image which is set as a lockscreen image. The image, named AArI.jpg has the ransom note written in Chinese and can be exited from with the key combination Alt+F4:
Would you like to know who am I?
I am answering, your daddy.
I have enciphered your important computer files
You want to know how to get them back?
Scan the 2D code from your screen and pay me.
I will then send you the tool for decryption.
Do not forget to write down the key from the above part of the screen In order for me to help you decrypt this.
SmartRansom Encryption Process
The encryption process by SmartRansom is connected with targeting specific types of files to render no longer able to be opened. These files are reported by researchers to be the following:
→ .au3, .BMP, .CUR, .doc, .docx, .GIF, .ICO, .JPG, .MID, .MIDI, .pdf, .PNG, .ppt, .pptx, .prn, .psd, .rar, .txt, .WAV, .xls, .xlsx, .zip
After the files encrypted by SmartRansom have been encoded, the virus does not leave behind any file extension or marker on the files that is showing they have been encoded.
Remove SmartRansom Ransomware and Restore Encrypted Files
Before beginning the removal process of files encrypted by SmartRansom ransomware, researchers advise victims to backup their encrypted files before beginning the removal and recovery process.
To remove the SmartRasnom Chinese ransomware infection, you can follow either the manual or automatic removal instrucions below. However, since this virus creates multiple objects in various locations, cybersecurity experts advise removing SmartRansom automatically by using an advanced anti-malware program. It will not only fully remove this virus from your computer but will also make sure that your system is protected against future attempts on it’s security.
In case you are looking for methods to restore your files, at the moment there is no free decrypter. We will update this article as soon as there is one, so we suggest you to follow it. In the meantime, you can also try recovering your files by following the alternative methods in step “2. Restore files encrypted by SmartRansom” below. They are not 100% guarantee you will be able to restore the files, but with their aid, at least some of the data can be retrieved.