Ciphering attacks by a new ransomware variant have been increasing lately. They seem to be linked to two email addresses known as [email protected] and [email protected] The ransomware uses conventional for ransomware scripts to encode the user files with its modules and leave a custom file extension, rendering the files corrupt. The file extension used by this crypto-malware is .73i87A and in its ransom note, the cyber-criminals offer the free decryption of 2 to 3 files. All users affected by the ransomware should not pay the ransom money and use the alternatives provided after this article to restore their data.
|Short Description||Encrypts the user’s files and sets a 6-digit alpha numerical file extension after which asks the user to contact [email protected] e-mail address.|
|Symptoms||The user may witness his wallpaper changed as well as “HOW TO DECRYPT” text file in his desktop.|
|Distribution Method||Via various malicious URL’s or spam e-mails posted online|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by [email protected]|
|User Experience||Join our forum to discuss [email protected].|
[email protected] Ransomware – Distribution
We have analyzed the single .exe file of this malware and we have concluded that it may directly enter in the user’s PC. It may be downloaded via browser redirects caused by ad-supported applications, for example, Yes Searches Browser Hijacker. However, the most widespread method of distribution used by ransomware is via different types of spam.
One particular type is spamming malicious URLs or attachments via emails with messages that may resemble a website in which a user has a registration in. The spam mails may feature malicious URLs and in some cases even malicious attachments most often in the form of archived files(.rar, .zip, .7z, etc.). Not only this but the ransomware may also be distributed via referral spam on websites with poor spam protection.
[email protected] In Detail
Once the payload of the ransomware is dropped it may reside In the following Windows locations:
The files dropped by the Trojan may have the following file names:
- HOW TO DECRYPT FILES.txt
- HOW TO DECRYPT FILES.jpg
Besides those files, the ransomware also creates the following objects in the “C:” logical partition:
Once this ransomware executable has been started, it directly begins to encrypt your files. After its payload is being run it scans for the most commonly used file types and encrypts them adding a custom alpha-numerical file extension to them. The file extensions added by this ransomware’s variants are reported on forums to be the following:
An example of an encrypted file may be New Text Document.txt.73i87A
Judging by its malicious .dll module’s name, the ransomware may have encrypted the files with an advanced encryption algorithm. After ciphering the user data, the ransomware may change the victim’s wallpaper and add the “HOW TO DECRYPT FILES.txt” ransom note on the Desktop like the following:
Not only this, but the ransomware gives the same password for each and every file, and it may generate a custom password for every user. This password may be used in a decryptor the cyber-attackers provide to the victim to unlock their files after the ransom has been paid. The ransom amount is believed to be somewhere in the of 50$ – 100$. When the cyber-criminals were contacted, the response was the following:
In addition to this information, we have uploaded a screenshot displaying VirusTotal‘s detection results of the payload-carrying file:
Remove [email protected] (@email.su) Ransomware and Restore Your Files
The removal process for this ransomware is rather simple. In fact, all you need to have is an advanced anti-malware software and follow the step-by-step instructions below to delete it.
Regarding the file decryption process, a user on YouTube called MC NORRIS has posted a video of the decryption process once the ransom money has been paid:
We strongly NOT TO PAY the ransom money since fortunately for us, several brave researchers have discovered methods to decrypt your files for free. Here are the specific decryption methods for this ransomware:
- By using Xorist Kaspersky Decryptor
- Via contacting malware research experts xXToffeeXx and Fabian Wosar and sending them the sample files.