Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove [email protected] (@tuta.io) Ransomware and Restore the Encrypted Files

ransomware-wallpaper-sensorstechforumCiphering attacks by a new ransomware variant have been increasing lately. They seem to be linked to two email addresses known as [email protected] and [email protected] The ransomware uses conventional for ransomware scripts to encode the user files with its modules and leave a custom file extension, rendering the files corrupt. The file extension used by this crypto-malware is .73i87A and in its ransom note, the cyber-criminals offer the free decryption of 2 to 3 files. All users affected by the ransomware should not pay the ransom money and use the alternatives provided after this article to restore their data.

Name[email protected]
TypeRansomware
Short DescriptionEncrypts the user’s files and sets a 6-digit alpha numerical file extension after which asks the user to contact [email protected] e-mail address.
SymptomsThe user may witness his wallpaper changed as well as “HOW TO DECRYPT” text file in his desktop.
Distribution MethodVia various malicious URL’s or spam e-mails posted online
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by [email protected]
User Experience Join our forum to discuss [email protected].

[email protected] Ransomware – Distribution

We have analyzed the single .exe file of this malware and we have concluded that it may directly enter in the user’s PC. It may be downloaded via browser redirects caused by ad-supported applications, for example, Yes Searches Browser Hijacker. However, the most widespread method of distribution used by ransomware is via different types of spam.

One particular type is spamming malicious URLs or attachments via emails with messages that may resemble a website in which a user has a registration in. The spam mails may feature malicious URLs and in some cases even malicious attachments most often in the form of archived files(.rar, .zip, .7z, etc.). Not only this but the ransomware may also be distributed via referral spam on websites with poor spam protection.

[email protected] In Detail

Once the payload of the ransomware is dropped it may reside In the following Windows locations:

  • %AppData%
  • %Temp%

The files dropped by the Trojan may have the following file names:

  • Setup.exe
  • Aes10.dll
  • Aes10.asm
  • HOW TO DECRYPT FILES.txt
  • HOW TO DECRYPT FILES.jpg

Besides those files, the ransomware also creates the following objects in the “C:” logical partition:

ransomware-files-sensorstechforum

Once this ransomware executable has been started, it directly begins to encrypt your files. After its payload is being run it scans for the most commonly used file types and encrypts them adding a custom alpha-numerical file extension to them. The file extensions added by this ransomware’s variants are reported on forums to be the following:

  • .73i87A
  • .P5tkjw
  • .6FKR8d

An example of an encrypted file may be New Text Document.txt.73i87A

Judging by its malicious .dll module’s name, the ransomware may have encrypted the files with an advanced encryption algorithm. After ciphering the user data, the ransomware may change the victim’s wallpaper and add the “HOW TO DECRYPT FILES.txt” ransom note on the Desktop like the following:

ransomware-unlocked-desktop-sensorstechforum

Ransomware-text-sensorstechforum

Not only this, but the ransomware gives the same password for each and every file, and it may generate a custom password for every user. This password may be used in a decryptor the cyber-attackers provide to the victim to unlock their files after the ransom has been paid. The ransom amount is believed to be somewhere in the of 50$ – 100$. When the cyber-criminals were contacted, the response was the following:

decryption-sensorstechforum

In addition to this information, we have uploaded a screenshot displaying VirusTotal‘s detection results of the payload-carrying file:

ransomware-detected-sensorstechforum

Remove [email protected] (@email.su) Ransomware and Restore Your Files

The removal process for this ransomware is rather simple. In fact, all you need to have is an advanced anti-malware software and follow the step-by-step instructions below to delete it.

Regarding the file decryption process, a user on YouTube called MC NORRIS has posted a video of the decryption process once the ransom money has been paid:

We strongly NOT TO PAY the ransom money since fortunately for us, several brave researchers have discovered methods to decrypt your files for free. Here are the specific decryption methods for this ransomware:

Removal Instructions for [email protected] Ransomware

1. Boot Your PC In Safe Mode to isolate and remove [email protected]
2. Remove [email protected] with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by [email protected] in the future
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the [email protected] threat: Manual removal of [email protected] requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.