Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Surprise Ransomware and Restore .surprise Encrypted Files

A new ransomware has been reported to cause devastation and problems to the user. The crypto-malware uses scraped ransom messages from other notorious ransomware, such as CryptoWall 3.0. It arrives via other malware on the user’s computer and once executed it performs several different activities on it which include encrypting the files of the user.

NameSurprise Ransomware
TypeRansomware
Short DescriptionInfects the user via a downloader Trojan and encrypts his/her files asking for ransom payment in Bitcoin for the decryption of the data.
SymptomsThe user may witness his files being encrypted with the .surpise file extension plus DECRYPTION_HOWTO.Notepad file created on the Desktop.
Distribution MethodVia malicious web links or dangerous e-mail attachments.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Surprise Ransomware
User Experience Join our forum to discuss Surprise Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Surprise Ransomware – Spread

The ransomware has been reported by users on security forums, to be spread via a Trojan.Downloader. Such trojan may be posted as a malicious email attachments in a spam message. One user has detected a file, named surprise.exe which after uploaded to VirusTotal displays the following detections:

surprise-trojan-detections-sensorstechforum

This is most likely a downloader which has obfuscation to avoid detection from some anti-malware programs with real-time protection.

Surprise Ransomware In Detail

Once the ransomware is on the computer it may be executed via the following files on the user PC:

  • C:\User\LOCAL\Temp\surprise.exe.config
  • C:\User\LOCAL\Temp\surprise.exe
  • C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorwks.dll

Source: Malwr.com

After this, the ransomware may begin to scan for and encrypt the user’s files. A malware researcher, named Demonslay335 at BleepingComputer forums has reported that Surprise ransomware scans for and encrypts the following file extensions:

“.asf”, “.pdf”, “.xls”, “.docx”, “.xlsx”, “.mp3”, “.waw”, “.jpg”, “.jpeg”, “.txt”, “.rtf”, “.doc”, “.rar”, “.zip”, “.psd”, “.tif”, “.wma”, “.gif”, “.bmp”, “.ppt”, “.pptx”, “.docm”, “.xlsm”, “.pps”, “.ppsx”, “.ppd”, “.eps”, “.png”, “.ace”, “.djvu”, “.tar”, “.cdr”, “.max”, “.wmv”, “.avi”, “.wav”, “.mp4”, “.pdd”, “.php”, “.aac”, “.ac3”, “.amf”, “.amr”, “.dwg”, “.dxf”, “.accdb”, “.mod”, “.tax2013”, “.tax2014”, “.oga”, “.ogg”, “.pbf”, “.ra”, “.raw”, “.saf”, “.val”, “.wave”, “.wow”, “.wpk”, “.3g2”, “.3gp”, “.3gp2”, “.3mm”, “.amx”, “.avs”, “.bik”, “.dir”, “.divx”, “.dvx”, “.evo”, “.flv”, “.qtq”, “.tch”, “.rts”, “.rum”, “.rv”, “.scn”, “.srt”, “.stx”, “.svi”, “.swf”, “.trp”, “.vdo”, “.wm”, “.wmd”, “.wmmp”, “.wmx”, “.wvx”, “.xvid”, “.3d”, “.3d4”, “.3df8”, “.pbs”, “.adi”, “.ais”, “.amu”, “.arr”, “.bmc”, “.bmf”, “.cag”, “.cam”, “.dng”, “.ink”, “.jif”, “.jiff”, “.jpc”, “.jpf”, “.jpw”, “.mag”, “.mic”, “.mip”, “.msp”, “.nav”, “.ncd”, “.odc”, “.odi”, “.opf”, “.qif”, “.xwd”, “.abw”, “.act”, “.adt”, “.aim”, “.ans”, “.asc”, “.ase”, “.bdp”, “.bdr”, “.bib”, “.boc”, “.crd”, “.diz”, “.dot”, “.dotm”, “.dotx”, “.dvi”, “.dxe”, “.mlx”, “.err”, “.euc”, “.faq”, “.fdr”, “.fds”, “.gthr”, “.idx”, “.kwd”, “.lp2”, “.ltr”, “.man”, “.mbox”, “.msg”, “.nfo”, “.now”, “.odm”, “.oft”, “.pwi”, “.rng”, “.rtx”, “.run”, “.ssa”, “.text”, “.unx”, “.wbk”, “.wsh”, “.7z”, “.arc”, “.ari”, “.arj”, “.car”, “.cbr”, “.cbz”, “.gz”, “.gzig”, “.jgz”, “.pak”, “.pcv”, “.puz”, “.rev”, “.sdn”, “.sen”, “.sfs”, “.sfx”, “.sh”, “.shar”, “.shr”, “.sqx”, “.tbz2”, “.tg”, “.tlz”, “.vsi”, “.wad”, “.war”, “.xpi”, “.z02”, “.z04”, “.zap”, “.zipx”, “.zoo”, “.ipa”, “.isu”, “.jar”, “.js”, “.udf”, “.adr”, “.ap”, “.aro”, “.asa”, “.ascx”, “.ashx”, “.asmx”, “.asp”, “.indd”, “.asr”, “.qbb”, “.bml”, “.cer”, “.cms”, “.crt”, “.dap”, “.htm”, “.moz”, “.svr”, “.url”, “.wdgt”, “.abk”, “.bic”, “.big”, “.blp”, “.bsp”, “.cgf”, “.chk”, “.col”, “.cty”, “.dem”, “.elf”, “.ff”, “.gam”, “.grf”, “.h3m”, “.h4r”, “.iwd”, “.ldb”, “.lgp”, “.lvl”, “.map”, “.md3”, “.mdl”, “.nds”, “.pbp”, “.ppf”, “.pwf”, “.pxp”, “.sad”, “.sav”, “.scm”, “.scx”, “.sdt”, “.spr”, “.sud”, “.uax”, “.umx”, “.unr”, “.uop”, “.usa”, “.usx”, “.ut2”, “.ut3”, “.utc”, “.utx”, “.uvx”, “.uxx”, “.vmf”, “.vtf”, “.w3g”, “.w3x”, “.wtd”, “.wtf”, “.ccd”, “.cd”, “.cso”, “.disk”, “.dmg”, “.dvd”, “.fcd”, “.flp”, “.img”, “.isz”, “.mdf”, “.mds”, “.nrg”, “.nri”, “.vcd”, “.vhd”, “.snp”, “.bkf”, “.ade”, “.adpb”, “.dic”, “.cch”, “.ctt”, “.dal”, “.ddc”, “.ddcx”, “.dex”, “.dif”, “.dii”, “.itdb”, “.itl”, “.kmz”, “.lcd”, “.lcf”, “.mbx”, “.mdn”, “.odf”, “.odp”, “.ods”, “.pab”, “.pkb”, “.pkh”, “.pot”, “.potx”, “.pptm”, “.psa”, “.qdf”, “.qel”, “.rgn”, “.rrt”, “.rsw”, “.rte”, “.sdb”, “.sdc”, “.sds”, “.sql”, “.stt”, “.tcx”, “.thmx”, “.txd”, “.txf”, “.upoi”, “.vmt”, “.wks”, “.wmdb”, “.xl”, “.xlc”, “.xlr”, “.xlsb”, “.xltx”, “.ltm”, “.xlwx”, “.mcd”, “.cap”, “.cc”, “.cod”, “.cp”, “.cpp”, “.cs”, “.csi”, “.dcp”, “.dcu”, “.dev”, “.dob”, “.dox”, “.dpk”, “.dpl”, “.dpr”, “.dsk”, “.dsp”, “.eql”, “.ex”, “.f90”, “.fla”, “.for”, “.fpp”, “.jav”, “.java”, “.lbi”, “.owl”, “.pl”, “.plc”, “.pli”, “.pm”, “.res”, “.rsrc”, “.so”, “.swd”, “.tpu”, “.tpx”, “.tu”, “.tur”, “.vc”, “.yab”, “.aip”, “.amxx”, “.ape”, “.api”, “.mxp”, “.oxt”, “.qpx”, “.qtr”, “.xla”, “.xlam”, “.xll”, “.xlv”, “.xpt”, “.cfg”, “.cwf”, “.dbb”, “.slt”, “.bp2”, “.bp3”, “.bpl”, “.clr”, “.dbx”, “.jc”, “.potm”, “.ppsm”, “.prc”, “.prt”, “.shw”, “.std”, “.ver”, “.wpl”, “.xlm”, “.yps”, “.1cd”, “.bck”, “.html”, “.bak”, “.odt”, “.pst”, “.log”, “.mpg”, “.mpeg”, “.odb”, “.wps”, “.xlk”, “.mdb”, “.dxg”, “.wpd”, “.wb2”, “.dbf”, “.ai”, “.3fr”, “.arw”, “.srf”, “.sr2”, “.bay”, “.crw”, “.cr2”, “.dcr”, “.kdc”, “.erf”, “.mef”, “.mrw”, “.nef”, “.nrw”, “.orf”, “.raf”, “.rwl”, “.rw2”, “.r3d”, “.ptx”, “.pef”, “.srw”, “.x3f”, “.der”, “.pem”, “.pfx”, “.p12”, “.p7b”, “.p7c”, “.jfif”, “.exif”, “.rar”

Source:BleepingComputer

The files are encrypted with two types of encryption algorithms to make the decryption even more impossible than it currently is – RSA-2048 and AES-256. Both of the algorithms are very difficult to decrypt because they are military-grade. After encryption, Surprise ransomware sets the .suprise file extension on the user PC, for example:

  • Picture.jpg becomes Picture.jpg.surprise

Upon opening the encrypted files, the user may either encounter a message saying the file cannot be opened or the following Windows suggestion pop-up:

surprise-trojan-detections-sensorstechforum

After encryption, the ransomware drops two notepad files that are called:

  • DECRYPTION_HOWTO.Notepad
  • Encrypted_Files.Notepad

These are the reported contents of the “DECRYPTION_HOWTO.Notepad” file:

What happened to your files ?
All of your files were protected by a strong encryption.
There is no way to decrypt your files without the key.
If your files not important for you just reinstall your system.
If your files is important just email us to discuss the price and how to decrypt your files.
You can email us to [email protected] and [email protected]
Write your Email to both email addresses PLS
We accept just BITCOIN if you dont know what it is just google it.
We will give instructions where and how you buy bitcoin in your country.
Price depends on how important your files and network is.it could be 0.5 bitcoin to 25 bitcoin.
You can send us a 1 encrypted file for decryption.
Feel free to email us with your country and computer name and username of the infected system.

As a bottom line, the ransomware can set up to 25 bitcoins for the user’s data which is approximately 10000 US dollars. It is advisable not to pay the ransom money due to several different reasons:

  • You fund the cybercriminals to spread and develop this malware.
  • You may not get your files back as promised.

Remove Surprise Ransomware and Restore Your Data

To successfully remove this ransomware, conventional approach simply won’t cut it. This is why we strongly advise you to follow the step-by-step removal manual which is designed methodologically for maximum effectiveness.

Regarding the recovery of your data, we advise you to do it from a powerful, safe PC. More information on recovery methods you may find in the “Restore Files” step below.

1. Boot Your PC In Safe Mode to isolate and remove Surprise Ransomware
2. Remove Surprise Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Surprise Ransomware in the future
4. Restore files encrypted by Surprise Ransomware
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Surprise Ransomware threat: Manual removal of Surprise Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • Xavier

    Estimado una computadora de mi trabajo se infecto con ese virus, existe alguna manera de poder desencriptar los archivos?. Como puedo saber si mi red esta infectada? y que antivirus y antimalware me recomendarias para colocar en las computadoras?. De antemano agradezco tu gentil ayuda.

    • Milena Dimitrova

      Hello Xavier,

      Can you check if your computer’s Remote Desktop Protocol / Remote Assistance is off? What you can do is turn off the Internet connection and check if other computers are infected. However, if no one has complained by now, it’s likely that only your computer got infected.

      Have you removed the ransomware with an anti-malware program?

      In terms of restoring your encrypted files – have a look at section 4 at the end of this article.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.