Remove UmbreCrypt Ransomware and Restore .umbrecrypttmp_ID Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove UmbreCrypt Ransomware and Restore .umbrecrypttmp_ID Encrypted Files

The HydraCrypt ransomware has another variant. It goes by the name of UmbreCrypt and encrypts files with extensions named after both of those variants. Hundreds of files with different extensions are encrypted by an RSA-2048 encryption algorithm. To remove the ransomware and see how to try restoring your files, you should carefully read the article to the end.

NameUmbreCrypt Ransomware
TypeRansomware
Short DescriptionThe ransomware encrypts files with a RSA-2048 algorithm and asks money for decryption.
SymptomsFiles are encrypted and inaccessible. A ransom message with instructions for paying the ransom appears on your screen.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection toolDownload Malware Removal Tool, to See If Your System Has Been Affected by UmbreCrypt Ransomware
User Experience Join our forum to discuss UmbreCrypt Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

STF-umbrecrypt-umbre-crypt-ransomware-ransom-message-note

UmbreCrypt Ransomware – Distribution Ways

UmbreCrypt ransomware is distributed in a few ways. One way is via spam emails which have a malicious file attached to them. Opening the attachment automatically infects your computer. The malicious code can hide inside the body of an email. Just by opening such emails is enough to get your computer infected, even without the attachment.

Other ways this ransomware can distribute through are file sharing services and social networks, which could contain attachments and files with the UmbreCrypt ransomware inside them. Such files could be introduced to you as something useful or needed, like an important update. Visiting unknown websites or clicking on links which redirect could also result in this malware infecting your PC.

UmbreCrypt Ransomware – Technical Information

UmbreCrypt is classified by several security researchers as ransomware. It is part of the HydraCrypt family.

According to Symantec researchers, if your computer is infected, the ransomware may make the following new entries in the Windows Registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Microsoft Internet Explorer Update” = [Ransomware’s location]

HKEY_CURRENT_USER\Software\Microsoft\Windows\”ChromeStarts3264″ = “%UserProfile%\Application Data\ChromeSetings3264\[random symbols].exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”ChromeSettingsStart3264″ = “%UserProfile%\Application Data\ChromeSetings3264\[random symbols].exe”

Those registry entries will make the ransomware start automatically with each boot of Windows.

Next, the ransomware will create one or some of these files:

  • README_DECRYPT_UMBRE_ID_[random symbols].txt
  • README_DECRYPT_UMBRE_ID_[random symbols].jpg
  • README_DECRYPT_HYDRA_ID_[random symbols].txt
  • README_DECRYPT_HYDRA_ID_[random symbols].jpg

Each such file contains instructions on how the ransom money to be paid. The following statement is inside:

Attention! All your main files were encrypted! ID: [random symbols]

Your personal files (documents, databases, jpeg, docx, doc, etc.) were encrypted, their further using impossible. Encryption was made using a unique public key RSA-2048 generated for this computer.
To decrypt your files you need to buy a software with your unique private key. Only our software will allow you decrypt files.
Note:
-You have only 72 hours from the moment when an encryption was done to buy our software with a loyal price, the payment amount will be increased multiple after the laps of 72 hours.
-Any attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.
-Do not send any emails with threats and rudeness to us. Example of email format: “Hi, I need a decryption of my files. My ID number is …”
(instead of three dots should be your ID number which could be found in the same folder where the encrypted file, also your ID number is shown on this picture)
Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact your within 12 hours.
For you to be sure, that we can decrypt your files – you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee.

According to Symantec researchers, the UmbreCrypt ransomware can connect to one of these locations:

  • [http://]drivers-softprotect.eu/img[characters]
  • [http://]drivers-softprotect.eu/flamm[characters]
  • [http://]testcryp.eu/googd[characters]
  • [http://]testcryp.eu/img[characters]

The UmbreCrypt ransomware is known to search for and encrypt files with the following extensions:

→ .st7 .st8 .stc .std .sti .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .txt .vob .vsd .vsx .vtx .wav .wb2 .wdb .wll .wmv .wpd .wps .x11 .x3f .xla .xlam .xlb .xlc .xll .xlm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .m4a .wma .d3dbsp .xlw .xpp .xsn .yuv .zip .zip .sie .unrec .scan .sum .t13 .t12 .qdf .tax .pkpass .bc6 .bc7 .sidn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .map .wmo .itm .sb .fos .mov .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blob .esm .vcf .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .dba .rofl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .lbf .slm .epk .rgss3a .pak .big .wallet .wotreplay .xxx .desc .m3u .js .css .rb .png .rw2 .rwl .mrwref .3fr .xf .pst .dx .tiff .bd .tar .gz .mkv .bmp .dot .xml .xmlx .dat .html .gif .mcl .ini .mte .cfg .mp3 .qbi .qbr .cnt .v30 .qbo .lgb .qwc .qbp .aif .qby .1pa .qpd .set .nd .rtp .qbwin .log .qbbackup .tmp .temp1234 .qbt .qbsdk .syncmanagerlogger .ecml .qsm .qss .qst .fx0 .fx1 .mx0 .fpx .fxr .fim .st6

After encryption, files have one of two extensions – .umbrecrypttmp_ID_[random numbers] or .hydracrypt_ID_[random numbers]. The encryption algorithm of the ransomware, according to its own ransom note is RSA-2048. The source code of the malware is known by EmsiSoft who have made decrypter software. You can find it in the instructions near the end of the article.

So paying the UmbreCrypt ransomware creators is definitely out of the question. Even if there was no method of recovery, paying them is wrong based on two reasons. One that there is no guarantee your files are going to be decrypted by the makers of the ransomware. The other is that by paying them, is comparable to supporting them.

After removing the ransomware, you should check the third section of the instructions written below for the decrypter software and a few alternative ways in which you can try to restore your files, if in any case that software doesn’t work.

Remove UmbreCrypt Ransomware and Restore Encrypted Files

If you have been infected by UmbreCrypt, you should have a bit of experience in removing malware. This ransomware might lock your files irreparably, so it is highly recommended that you act quick and follow the step-by-step instructions provided right down here.

1. Boot Your PC In Safe Mode to isolate and remove UmbreCrypt Ransomware
2. Remove UmbreCrypt Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by UmbreCrypt Ransomware in the future
4. Decrypt files encrypted by UmbreCrypt Ransomware
Optional: Using an Alternative Anti-Malware Tool
NOTE! Substantial notification about the UmbreCrypt Ransomware threat: Manual removal of UmbreCrypt Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.