Remove ( Ransomware and Restore the Encrypted Files - How to, Technology and PC Security Forum |

Remove [email protected] ( Ransomware and Restore the Encrypted Files

ransomware-wallpaper-sensorstechforumCiphering attacks by a new ransomware variant have been increasing lately. They seem to be linked to two email addresses known as [email protected] and [email protected] The ransomware uses conventional for ransomware scripts to encode the user files with its modules and leave a custom file extension, rendering the files corrupt. The file extension used by this crypto-malware is .73i87A and in its ransom note, the cyber-criminals offer the free decryption of 2 to 3 files. All users affected by the ransomware should not pay the ransom money and use the alternatives provided after this article to restore their data.

Name[email protected]
Short DescriptionEncrypts the user’s files and sets a 6-digit alpha numerical file extension after which asks the user to contact [email protected] e-mail address.
SymptomsThe user may witness his wallpaper changed as well as “HOW TO DECRYPT” text file in his desktop.
Distribution MethodVia various malicious URL’s or spam e-mails posted online
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by [email protected]
User Experience Join our forum to discuss [email protected].

[email protected] Ransomware – Distribution

We have analyzed the single .exe file of this malware and we have concluded that it may directly enter in the user’s PC. It may be downloaded via browser redirects caused by ad-supported applications, for example, Yes Searches Browser Hijacker. However, the most widespread method of distribution used by ransomware is via different types of spam.

One particular type is spamming malicious URLs or attachments via emails with messages that may resemble a website in which a user has a registration in. The spam mails may feature malicious URLs and in some cases even malicious attachments most often in the form of archived files(.rar, .zip, .7z, etc.). Not only this but the ransomware may also be distributed via referral spam on websites with poor spam protection.

Unb[email protected] In Detail

Once the payload of the ransomware is dropped it may reside In the following Windows locations:

  • %AppData%
  • %Temp%

The files dropped by the Trojan may have the following file names:

  • Setup.exe
  • Aes10.dll
  • Aes10.asm

Besides those files, the ransomware also creates the following objects in the “C:” logical partition:


Once this ransomware executable has been started, it directly begins to encrypt your files. After its payload is being run it scans for the most commonly used file types and encrypts them adding a custom alpha-numerical file extension to them. The file extensions added by this ransomware’s variants are reported on forums to be the following:

  • .73i87A
  • .P5tkjw
  • .6FKR8d

An example of an encrypted file may be New Text Document.txt.73i87A

Judging by its malicious .dll module’s name, the ransomware may have encrypted the files with an advanced encryption algorithm. After ciphering the user data, the ransomware may change the victim’s wallpaper and add the “HOW TO DECRYPT FILES.txt” ransom note on the Desktop like the following:



Not only this, but the ransomware gives the same password for each and every file, and it may generate a custom password for every user. This password may be used in a decryptor the cyber-attackers provide to the victim to unlock their files after the ransom has been paid. The ransom amount is believed to be somewhere in the of 50$ – 100$. When the cyber-criminals were contacted, the response was the following:


In addition to this information, we have uploaded a screenshot displaying VirusTotal‘s detection results of the payload-carrying file:


Remove [email protected] ( Ransomware and Restore Your Files

The removal process for this ransomware is rather simple. In fact, all you need to have is an advanced anti-malware software and follow the step-by-step instructions below to delete it.

Regarding the file decryption process, a user on YouTube called MC NORRIS has posted a video of the decryption process once the ransom money has been paid:

We strongly NOT TO PAY the ransom money since fortunately for us, several brave researchers have discovered methods to decrypt your files for free. Here are the specific decryption methods for this ransomware:

Removal Instructions for [email protected] Ransomware

1. Boot Your PC In Safe Mode to isolate and remove [email protected]
2. Remove [email protected] with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by [email protected] in the future
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the [email protected] threat: Manual removal of [email protected] requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share