.serpent File Virus (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.serpent File Virus (Restore Files)

This article is made to demonstrate how to remove Serpent 2017 Danish ransomware infection and try to restore files encrypted with AES-256 and RSA-2048 that have the .serpent file extension.

A ransomware virus has been created and released out into the open. The malware is named Serpent and when it infects a computer, it encrypts a very wide variety of file types with an advanced encryption. Then unique keys are generated for the decryption of the files. After infection, Serpent ransomware also adds ransom notes I a .txt and .html files to ask users to pay a ransom to get the files back. In case you are one of the victims of Serpent ransomware, we urge you not to pay any ransom fee and to focus on restoring files and removing the virus. Keep reading this article to find out how to perform the removal and what are your options, regarding encrypted files.

Image Source: CS:GO

Threat Summary

Name

Serpent

TypeRansomware
Short DescriptionThe virus encrypts files on the compromised computer and leaves a web link with instructions to pay in BITCOIN to get the files back.
SymptomsThe victim may not be able to open the files. The .serpent file extension is appended to them. Ransom notes are dropped in .html and .txt file formats.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Serpent

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Serpent.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is Serpent Ransomware Spread

This virus may use a variety of techniques to ensure an infection that is successful. One of those methods is to utilize massive spam campaigns. Since this is achievable only via a combination of different pre-written e-mails and spamming tools, there are many spam kits for e-mail out there that have:

  • Pre-configured e-mail messages.
  • Pre-configured spam list.
  • A list of disposable e-mail accounts.
  • Spamming servers.

These “solutions” allow to cyber-criminals, like the ones behind Serpent to perform spam on a massive level, depending on their resources.

Serpent Ransomware – Post-Infection Activity

Once a use opens such a spam e-mail, the infection takes place. For starters, Serpent ransomware begins to drop multiple files on the compromised computer:

software.exe
{random ID}.exe
%Temp%\puttyx86.exe
%Roaming%\{random folder name}\{random file name}.exe
%Startup%\{random vbs executable}.vbs

In addition to this, the Serpent virus establishes connection with multiple different third-party hosts. Some of those are reported to be associated with the download of malicious executables and fake documents. Many of the hosts are also TOR-based. One of them is the discovered IP for distribution of the malicious executable – 185.163.46.150.

For the file encryption, the Serpent virus is preconfigured to encrypt various file types, more than 150, to be specific.

→ .2011, .2012, .2013, .2014, .2015, .2016, .2017, . 3dm, .7zip, .accd, .accdb, .accde, .accdr, .accdt, .aepx, .agdl, .aiff, .aspx, .back, .backup, .backupdb, .bank, .blend, .btif, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cfdi, .clas, .class, .cntk, .config, .craw, .db-journal, .db_journal, .ddoc, .ddrw, .defx, .design, .djvu, .docb, .docm, .docx, .dotm, .dotx, .dtau, .efsl, .erbsql, .fcpa, .fcpr, .flac, .flvv, .gray, .grey, .groups, .html, .iban, .ibank, .idml, .incpas, .indb, .indd, .indl, .indt, .int?, .intu, .java, .jpeg, .jsda, .kdbx, .kpdx, .laccdb, .lay6, .m2ts, .m3u8, .mbsb, .meta, .mhtm, .mone, .moneywell, .mpeg, .ms11, .myox, .nvram, .pages, .pcif, .php5, .phtml, .plus_muhd, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .pptx, .prel, .prpr, .psafe3, .pspimage, .ptdb, .qb20, .qbmb, .qbmd, .qcow, .qcow2, .qdfx, .qmtf, .quic, .qwmo, .resx, .s3db, .safe, .sas7bdat, .save, .seam, .sldm, .sldx, .sqli, .sqlite, .sqlitedb, .tax0, .tax1, .tax2, .text, .tiff, .tt10, .tt11, .tt12, .tt13, .tt14, .tt15, .tt20, .vbox, .vbpf, .vhdx, .vmdk, .vmsd, .vmxf, .wallet, .xhtm, .xlam, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .ycbcra, .zipx

For the encryption process, Serpent ransomware uses the AES-256 for the files and combines it with RSA cipher for encrypting the key and generating unique keys for the files. This makes the decryption process even more impossible. The files assume the .serpent file extension and look like the following:

After the encryption process has completed, the ransomware virus drops two ransom note files, named:

  • HOW_TO_DECRYPT_YOUR_FILES_{random}.txt
  • HOW_TO_DECRYPT_YOUR_FILES_{random}.html
  • The files both have the same ransom note:

→ ==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====
================ PLEASE READ THIS MESSAGE CAREFULLY ================
Your documents, photos, videos, databases and other important files have been encrypted!
The files have been encrypted using AES256 and RSA2048 encryption (unbreakable)
To decrypt your files you need to buy the special software ‘Serpent Decrypter’.
You can buy this software on one of the websites below.
xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000
xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000
If the websites above do not work you can use a special website on the TOR network. Follow the steps below
1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads
2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000
3. Follow the instructions to buy ‘Serpent Decrypter’
================ PLEASE READ THIS MESSAGE CAREFULLY ================

Malware researchers strongly advise against trusting the ones behind this ransomware infection and paying the ransom. Instead, recommendations are to remove it immediately.

Remove Serpent Ransowmare and Restore .serpent Encrypted Files

For the removal of Serpent ransomware, a good practice is to follow the instructions below. They will help you isolate the virus after which choose whether to look for each setting and file manually or if you do not have experience to perform the removal automatically (recommended).

After removing Serpent ransomware from your computer, it is time to think about the encrypted files. To restore files encoded by Serpent on your computer, we advise checking out the alternative file recovery methods in step “2. Restore files encrypted by Serpent” below.

Manually delete Serpent from your computer

Note! Substantial notification about the Serpent threat: Manual removal of Serpent requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Serpent files and objects
2.Find malicious files created by Serpent on your PC

Automatically remove Serpent by downloading an advanced anti-malware program

1. Remove Serpent with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Serpent
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

1 Comment

  1. duchs

    ongelooflijk om te zeggen gebruik een mailwere verwijder gaat je niet helpen ook de reg aanpassen in veilige modus vergeet het maar en zo kan ook nog even doorgaan .helaas formatteren van je hdd your dan

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.