SHINIGAMI LOCKER – Remove It and Restore .shinigami Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

SHINIGAMI LOCKER – Remove It and Restore .shinigami Files

OFFER

SCAN YOUR MAC
with Combo Cleaner

Scan Your System for Malicious Files
Note! Your system might be affected by SHINIGAMI LOCKER and other threats
Threats such as SHINIGAMI LOCKER may be persistent. They tend to re-appear if not fully deleted. A malware removal tool like Combo Cleaner will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
Combo Cleaner’s scanner is free but the paid version is needed to remove the malware threats. Read Combo Cleaner’s EULA and Privacy Policy.

This article aims to show you how to remove SHINIGAMI LOCKER from your computer and how to restore .shinigami encrypted files.

A new ransomware was recently identified to infect users, going by the Japanese name Shinigami (God of Death). The ransomware virus aims to encrypt the files on the computers infected by it after which the virus renames them and adds the .shinigami file extension to them. Then, the ransomware also changes the wallpaper with a ransom note, containing full instructions on how to pay around $50 in BitCoins as a ransom and restore the files encrypted by this virus. If you are one of the victims of SHINIGAMI LOCKER ransomware, we strongly suggest you to read this article and learn how to remove this virus and try to get your files back without having to pay the ransom.

Threat Summary

NameSHINIGAMI LOCKER
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the compromised computers after which demands $50 ransom payoff in BitCoin from victims in return for their files.
SymptomsThe ransomware virus adds the .shinigami file extension to the encrypted files after which changes the wallpaper with the ransom note one.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by SHINIGAMI LOCKER

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss SHINIGAMI LOCKER.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does SHINIGAMI LOCKER Infect

The infection process of SHINIGAMI LOCKER is conducted via multiple different methods. The primary one of those is via spammed e-mail messages, like the example image below demonstrates:

Usually such e-mails may carry a malicious e-mail attachment that may be of the following file types:

.doc, .docx, .exe, .pdf, .vbs, .cmd, .bat, .vbs, .tmp, .js, .wsf

If the files are documents, like .docx or .pdf files, for example, they may contain malicious macros that get you to click on the “Enable Content” button within them in order to initiate the infection process.

SHINIGAMI LOCKER – Analysis

Created by a hacker with the nickname narzull on Visual Studio 2017, SHINIGAMI LOCKER is a ransomware virus from the file encryption kind. The threat’s primary purpose is to extort you for BitCoins in return for your files. And it does not joke about it either. Upon infection, the malicious files of SHINIGAMI LOCKER are dropped on several different Windows folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roam

After this has been done, the ransomware may begin it’s malicious activity. For starters, the virus may begin to employ various different types of modifications on your computer system, including modifying registry entires in your Windows Registry Editor. The primarily attacked Windows Registry keys by SHINIGAMI LOCKER are believed to be the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In those sub-keys the ransowmare may drop value strings with data in them which points to the actual location of the malicious files belonging to SHINIGAMI LOCKER.

Other activity related to SHINIGAMI LOCKER is primarily connected with the virus deleting the shadow volume copies on your computer system. This activity is the primary one responsible for eliminating any chance of backup on your computer. It is achievable by executing the following commands without you noticing it:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

After this has been done, the ransomware virus may change the wallpaper of the computers infected by it to the SHINIGAMI LOCKER one, looking like the following:


Text from the wallpaper:

SHINIGAMI LOCKER
YOU HAVE BEEN HACKED
YOUR FILES WERE ENCRYPTED
GET RID OF THIS IN FEW STEPS
STEP1 GO TO https://localbitcoins.com/
STEP2 PAY THE EXACT AMOUNT
REQUEST DELOW. MAKE SURE YOU PAY IT TO THE CORRECT ADDRESS
STEP 3 WAIT UNTIL THE PAYMENTIS CONFIRMED AND ENJOY YOUR PC

YOU NEED TO PAY BITCOIN WORTH 50$!
ANY ATTEMT ON CLOSING OR DELETING THIS SOFTWARE WILL DAMAGE YOUR PC

AMMOUNT: 50 $ ~ 0.01816 BTC BITCOIN WALLET FOR PAYMENT 1MBPSrn46eEVBHoypyjgfdCCf5DQxQsx3f

SHINIGAMI LOCKER – Encryption Process

In order to encipher the files on the computers it has attacked, SHINIGAMI LOCKER ransowmare uses the DES encryption algorithm. It is neither the newest or the strongest encryption algorithm but it is enough to render your encrypted files no longer able to be opened and if it is properly configured their decryption may be next to impossible. SHINIGAMI LOCKER may target files that have the following file types:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

After it encrypts those files, SHINIGAMI LOCKER adds it’s distinctive file extension .shinigami and renames the files, so that they become no longer recognizable. The files encrypted by this virus no longer appear the same:

Remove SHINIGAMI LOCKER and Restore .shinigami Encrypted Files

If you want to remove this ransowmare infection, we would advise isolating SHINIGAMI LOCKER and then removing it via either the manual or automtatic removal methods which we have explained step-by-step below. According to malware researchers, the best way to deal with ransomware viruses that heavily modify Windows, like SHINIGAMI LOCKER is to use an advanced anti-malware tool that will ensure the removal of all files related to this cyber-threat automatically. Having such tool will also ensure that your computer is protected against future threats as well.

If you want to restore files that have been encrypted by this ransomware virus, we would strongly suggest following our alternative methods which we have suggested in step “3. Restore files encrypted by SHINIGAMI LOCKER” below. They are specifically designed to help you restore as many files as you can without having to pay the ransom. They may not be 100% effective, but you may get your important files back by using them. Also, we always recommend you to perform a backup of your encrypted files before following those methods.

Note! Your computer system may be affected by SHINIGAMI LOCKER and other threats.
Scan Your MAC with Combo Cleaner
Combo Cleaner is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as SHINIGAMI LOCKER.
Keep in mind, that Combo Cleaner needs to purchased to remove the malware threats. Click on the corresponding links to check Combo Cleaner’s EULA and Privacy Policy.

Manually delete SHINIGAMI LOCKER from your Mac

1. Uninstall SHINIGAMI LOCKER and remove related files and objects
2. Remove SHINIGAMI LOCKER – related extensions from your Mac’s browsers

Automatically remove SHINIGAMI LOCKER from your Mac

When you are facing problems on your Mac as a result of unwanted scripts and programs such as SHINIGAMI LOCKER, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.


Download

Combo Cleaner

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...