Remove Tilde Ransomware and Restore .~ Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Tilde Ransomware and Restore .~ Encrypted Files

sensorstechforum-ransom-note-tildeA very interesting ransom virus, named Tilde has been detected to add the .~ (tilde sign) file extension to the files it encrypts. It uses a very strong AES encryption and demands 0.8 BTC from infected users. Tilde ransomware also changes the wallpaper of the infected computer with its ransom note aiming to scare off users into paying the ransom, claiming that it also uses a uniquely generated RSA key to strengthen its encryption. The ransomware also drops a .ini file and a .bmp image containing its ransom instructions. Users who have become victims of Tilde ransomware are strongly advised not to perform any activities associated with paying the ransom money to cyber crooks. Instead, we recommend reading this article to learn how to remove Tilde ransomware and try to restore files which cannot be directly decrypted.

Threat Summary

Name

Tilde

TypeRansomware
Short DescriptionThe malware encrypts users files and demand 0.8 BTC as a ransom payoff.
SymptomsThe user may witness ransom message as a desktop with instructions on how to make the payoff. Files are encrypted with the “.~” sign as a file extension.
Distribution MethodVia a malicious e-mail attachment.
Detection Tool See If Your System Has Been Affected by Tilde

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Tilde Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Tilde Ransomware – How Does It Replicate

There are several methods by which cyber criminals may distribute this virus all over the web. They include a huge investment into the latest tools that bypass standard OS defenses:

  • Program obfuscators.
  • Exploit kits.
  • JavaScript.
  • Spam bots or spamming services.
  • File joiners.

All of the different tools may be used to spread the virus via e-mail. One method of e-mail attacks is undertaking massive spam campaigns to infect as many users as possible. One of those e-mail subjects may be a free upgrade or a promise of anything for free. Users have also reported e-mails from banking institutions claiming their accounts have been suspected. Most e-mails use deceptive tactics just to get users to start opening the malicious e-mail attachments or URLs which can infect their computer via different combinations of the abovementioned malicious tools.

Malware attacks by Tilde ransomware may also be targeted against specific organizations by using spoof e-mails. This means that the black hat hackers may pretend to be someone from the company and send an e-mail address to the local e-mail server to infect computers in the local area network of the company like seen in the TV series Mr.Robot.

Some blackhats may also use the services of ad-supported applications, like browser hijackers which may cause direct redirects to malicious URLs if paid to do so.

Tilde Ransomware – In-Depth Analysis

After Tilde has successfully infected the computer of its victim, it may create one or more malicious files in several usually targeted Windows Folders:

commonly used file names and folders

The files may have different names, ranging from completely random to names appearing like legitimate Windows processes, such as svchost.exe, for example.

As soon as it has made the malicious files, Tilde ransomware may immediately start encrypting data and create registry values so that it runs every time you boot Windows, They may be located in the following keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Tilde Ransomware may begin to scan for a wide variety of file types, primarily associated with videos, music, photos, databases, virtual drives, remote drives and other files. After it detects the file extensions it is looking for; Tilde encrypts them using a very strong AES encryption. The files can no longer be opened after encoding with any software. They are appended the .~ file extension, and they may look like the following example:

encrypted-file-tilder-ransomware-sensorstechofurm

After encryption, the Tilde Ransomware drops the following files containing its ransom note:

C:\_RECOVER_INSTRUCTIONS.ini
C:\Documents and Settings\Default User\Desktop\_RECOVER_INSTRUCTIONS.ini
C:\Documents and Settings\Default User\Templates\_RECOVER_INSTRUCTIONS.ini
%TEMP%\Simple_Encoder\img.bmp
C:\Documents and Settings\Local\Temp\Simple_Encoder\img.bmp

These files have the ransom note as a text .ini file and a .bmp image. Tilde Ransomware may modify the following registry key to change the wallpaper to its ransom note:

In the key:
HKEY_CURRENT_USER\Control Panel\Desktop
The value string:
“Wallpaper”=” C:\Documents and Settings\Local\Temp\Simple_Encoder\img.bmp”

The ransom note has the following text:

→ “All your system is encrypted.
All your files (documents, photos, videos) were encrypted.
It’s impossible to get access to your files without necessary decrypt key.
All your attempts to solve problem yourself will be unsuccessful!
We suggest you to read some articles about this type of encryption:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Now you have two options to solve the problem:
1. Format your hard disk. This way you’ll lose all your files.
2. Pay 0.8 Bitcoin and get key of decryption. At the end of this ad you’ll see your personal ID and our contact information.
Now you should send us email with your personal ID. This email
will be as confirmation you are ready to pay for decryption key.
After payment we’ll send you key of decryption with instructions how to decrypt the system.
Please, don’t send us emails with threats. We don’t read it and don’t reply!
We guarantee we’ll send you the decryption key after your payment so you’ll get access to all your files.
Our e-mail address: [email protected]
YOUR PERSONAL IDENTIFIER: ***”

Tilde Ransomware – Conclusion, Removal, and File Restoration

As a bottom line, Tilde Ransomware is a relatively new variant, and it may be a heavily modified ransomware of other viruses, like Cerber, Troldesh or Locky or any other viruses that may be sold online. Cyber-criminals behind it aim to motivate users into paying and this is why contacting them is not suggestable.

Instead, experts advise removing Tilde ransomware completely from your computer. To do this, we recommend using an advanced anti-malware program since it will swiftly and automatically remove Tilde ransomware from your computer, in case you fail to locate manually and delete its files. More information you can find by carefully following the removal instructions below. They also include file restoration alternatives in step “3.Restore Files Encrypted by Tilde” below. These are methods with which you may attempt to revert your files in case direct decryption is not available. We also suggest you follow this article since we will update it as soon as a free decryptor has been released out into the public.

Manually delete Tilde from your computer

Note! Substantial notification about the Tilde threat: Manual removal of Tilde requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Tilde files and objects
2. Find malicious files created by Tilde on your PC
3. Fix registry entries created by Tilde on your PC

Automatically remove Tilde by downloading an advanced anti-malware program

1. Remove Tilde with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Tilde in the future
3. Restore files encrypted by Tilde
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...