SkyFile Virus – How to Remove It and Restore .sky Files

SkyFile Virus – How to Remove It and Restore .sky Files

The SkyFile virus is a new test version malware that is actively being spread towards computer users worldwide. A preliminary code analysis does not reveal a correlation with any of the famous malware engines. The affected files are renamed with the .sky extension. Our in-depth removal guide shows how victims can remove any active infections.

Threat Summary

Short DescriptionThe SkyFile virus is a malware that encrypts the target data with .sky.
SymptomsThe victims will find that their files are encrypted with the .sky.
Distribution MethodSpam Emails, File Sharing Networks, Exploit Kits
Detection Tool See If Your System Has Been Affected by SkyFile


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss SkyFile.

SkyFile virus – Infection Spread

The SkyFile virus can be distributed onto target users using various methods. One of the main ones is the use of spam messages that rely on social engineering tactics. They are frequently made with stolen graphics and text taken from legitimate sites in order to confuse the victims. The criminal controllers can hyperlink the malware files into the message contents. When the victims click on the respective links they will be forwarded to a hacker-controlled site where the strains are hosted. The other option is to directly attach the malware files directly to the emails.

In other cases the criminals can opt to use payloads that contain the SkyFile virus in themselves and the infections are caused due to victim interaction. A common method is to integrate the SkyFile virus into software installers. The criminals usually target popular software such as computer games, system utilities and creative suites. The malware is automatically deployed when the relevant app is installed. The other method relies on documents, in this case the hacker operators can choose various types of files: presentations, rich text documents and spreadsheets. When they are opened a notification prompt appears which asks the users to enable the built-in macros (scripts). When this is done the virus payload is automatically deployed to their machines.

Another strategy would be to take advantage of browser hijackers also known as browser redirects. They are malware plugins that are made for the most popular web browsers (Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, Internet Explorer and Opera). The criminals often upload them to the official plugin repositories using counterfeit credentials, user reviews and elaborate descriptions. As soon as they are installed the users will find that the respective browsers will be changed to a hacker-designated page. Various system changes can be made, as well as other viruses deployed to the infected machine.

The virus files can be deployed using other methods including various forms of web scripts. They can take the form of web banners, pop-ups and ads.

SkyFile virus – Technical Data

According to the initial security analysis the SkyFile virus does not belong to any of the famous malware families. This means that the hacker or criminal group behind it have been probably made it themselves. Another possibility is that it is a still unknown customized version of a malware downloaded or bought from the underground hacker markets.

As the ongoing attack campaigns at the moment target a small selection of potential victims, the security analysts believe that this may be a test version. Further updates to its code may allow for a much more dangerous strain.

The threat can be configured to begin the infection process by launching an information gathering module. It is programmed to harvest sensitive content from the victim computers. An example is private data that can be used to expose the victims identity. its engine scans for strings related to their names, addresses, phone numbers, interests, location, passwordsa and account credentials. The other type of information is referred to as anonymous metrics and they are primarily used for statistical purposes. Such strings are composed of operating system configuration settings, certain system values and a list of the available hardware components.

The next step would be to launch a stealth protection component that can prevent certain system and secutity solutions from preventing the SkyFile virus from operating correctly. The standard behavior is to look for signatures for anti-virus products, sandbox and debug environments, as well as virtual machine hosts. In certain cases if the SkyFile virus is not able to bypass the security measures it can remove itself to avoid detection.

The hackers have embedded the possibility core to institute system changes. They depend upon the current attack campaign and may include both Windows Registry and boot options. Changes to the operating system registry can result in poor system performance, application and system services issues and other problems. The SkyFile virus engine can also be programmed to delete the Shadow Volume Copies of potential victim data. This makes it very hard to restore the files without the use of a quality data recovery application. You can refer to our instructions in the removal steps on how to do this. Modified boot options effectively remove the possibility to enter the startup recovery menu.

A network connection to the hacker operators can also be instituted. In such cases the hackers can use it to deploy additional malware to the infected machines. Another possibility would be to remotely take over control of the affected systems, as well as spy on the victims in real time.

SkyFile virus — Encryption Process

Once all malware components have completed execution the respective ransomware module is launched. It uses a strong cipher in order to affect the target files. Like other similar threats it uses a built-in list of target file type extensions, typically acting against the following data:

  • Archives
  • Documents
  • Music
  • Images
  • Videos
  • Databases
  • Backups

All encrypted files are renamed with the .sky extension. A randomly-named executuable is crafted by the engine which launches an application that is designed to look like a typical lockscreen. It is titled “SkyFile Decryptor | ZeuS CitadeL” and reads the following message:

Oops, your files has been encrypted. Such as: photos, videos, documents, etc. To decrypt your files, read HOW TO DECRYPT.txt

Remove SkyFile virus and Restore Your Files

If your computer got compromised and is infected with the SkyFile ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share