The HydraCrypt ransomware has another variant. It goes by the name of UmbreCrypt and encrypts files with extensions named after both of those variants. Hundreds of files with different extensions are encrypted by an RSA-2048 encryption algorithm. To remove the ransomware and see how to try restoring your files, you should carefully read the article to the end.
|Short Description||The ransomware encrypts files with a RSA-2048 algorithm and asks money for decryption.|
|Symptoms||Files are encrypted and inaccessible. A ransom message with instructions for paying the ransom appears on your screen.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks|
|Detection tool||Download Malware Removal Tool, to See If Your System Has Been Affected by UmbreCrypt Ransomware|
|User Experience||Join our forum to discuss UmbreCrypt Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
UmbreCrypt Ransomware – Distribution Ways
UmbreCrypt ransomware is distributed in a few ways. One way is via spam emails which have a malicious file attached to them. Opening the attachment automatically infects your computer. The malicious code can hide inside the body of an email. Just by opening such emails is enough to get your computer infected, even without the attachment.
Other ways this ransomware can distribute through are file sharing services and social networks, which could contain attachments and files with the UmbreCrypt ransomware inside them. Such files could be introduced to you as something useful or needed, like an important update. Visiting unknown websites or clicking on links which redirect could also result in this malware infecting your PC.
UmbreCrypt Ransomware – Technical Information
UmbreCrypt is classified by several security researchers as ransomware. It is part of the HydraCrypt family.
According to Symantec researchers, if your computer is infected, the ransomware may make the following new entries in the Windows Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Microsoft Internet Explorer Update” = [Ransomware’s location]
HKEY_CURRENT_USER\Software\Microsoft\Windows\”ChromeStarts3264″ = “%UserProfile%\Application Data\ChromeSetings3264\[random symbols].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”ChromeSettingsStart3264″ = “%UserProfile%\Application Data\ChromeSetings3264\[random symbols].exe”
Those registry entries will make the ransomware start automatically with each boot of Windows.
Next, the ransomware will create one or some of these files:
- README_DECRYPT_UMBRE_ID_[random symbols].txt
- README_DECRYPT_UMBRE_ID_[random symbols].jpg
- README_DECRYPT_HYDRA_ID_[random symbols].txt
- README_DECRYPT_HYDRA_ID_[random symbols].jpg
Each such file contains instructions on how the ransom money to be paid. The following statement is inside:
Attention! All your main files were encrypted! ID: [random symbols]
Your personal files (documents, databases, jpeg, docx, doc, etc.) were encrypted, their further using impossible. Encryption was made using a unique public key RSA-2048 generated for this computer.
To decrypt your files you need to buy a software with your unique private key. Only our software will allow you decrypt files.
-You have only 72 hours from the moment when an encryption was done to buy our software with a loyal price, the payment amount will be increased multiple after the laps of 72 hours.
-Any attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.
-Do not send any emails with threats and rudeness to us. Example of email format: “Hi, I need a decryption of my files. My ID number is …”
(instead of three dots should be your ID number which could be found in the same folder where the encrypted file, also your ID number is shown on this picture)
Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact your within 12 hours.
For you to be sure, that we can decrypt your files – you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee.
According to Symantec researchers, the UmbreCrypt ransomware can connect to one of these locations:
The UmbreCrypt ransomware is known to search for and encrypt files with the following extensions:
→ .st7 .st8 .stc .std .sti .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .txt .vob .vsd .vsx .vtx .wav .wb2 .wdb .wll .wmv .wpd .wps .x11 .x3f .xla .xlam .xlb .xlc .xll .xlm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .m4a .wma .d3dbsp .xlw .xpp .xsn .yuv .zip .zip .sie .unrec .scan .sum .t13 .t12 .qdf .tax .pkpass .bc6 .bc7 .sidn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .map .wmo .itm .sb .fos .mov .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blob .esm .vcf .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .dba .rofl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .lbf .slm .epk .rgss3a .pak .big .wallet .wotreplay .xxx .desc .m3u .js .css .rb .png .rw2 .rwl .mrwref .3fr .xf .pst .dx .tiff .bd .tar .gz .mkv .bmp .dot .xml .xmlx .dat .html .gif .mcl .ini .mte .cfg .mp3 .qbi .qbr .cnt .v30 .qbo .lgb .qwc .qbp .aif .qby .1pa .qpd .set .nd .rtp .qbwin .log .qbbackup .tmp .temp1234 .qbt .qbsdk .syncmanagerlogger .ecml .qsm .qss .qst .fx0 .fx1 .mx0 .fpx .fxr .fim .st6
After encryption, files have one of two extensions – .umbrecrypttmp_ID_[random numbers] or .hydracrypt_ID_[random numbers]. The encryption algorithm of the ransomware, according to its own ransom note is RSA-2048. The source code of the malware is known by EmsiSoft who have made decrypter software. You can find it in the instructions near the end of the article.
So paying the UmbreCrypt ransomware creators is definitely out of the question. Even if there was no method of recovery, paying them is wrong based on two reasons. One that there is no guarantee your files are going to be decrypted by the makers of the ransomware. The other is that by paying them, is comparable to supporting them.
After removing the ransomware, you should check the third section of the instructions written below for the decrypter software and a few alternative ways in which you can try to restore your files, if in any case that software doesn’t work.
Remove UmbreCrypt Ransomware and Restore Encrypted Files
If you have been infected by UmbreCrypt, you should have a bit of experience in removing malware. This ransomware might lock your files irreparably, so it is highly recommended that you act quick and follow the step-by-step instructions provided right down here.