.snake .TGIF File Virus (Remove + Restore Data)

.snake .TGIF File Virus (Remove + Restore Data)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

.snake .TGIF file virus-snakelocker-ransomware-ransom-note-sensorstechforum

New ransomware sample has been discovered by security researchers. It is given the name SnakeLocker and appears to be in development. The threat is associated with two malicious extensions .snake and .TGIF that rename corrupted files. The .snake .TGIF file virus aims to encrypt valuable data stored on the infected PC and then blackmail victims into paying 0.1 BTC ransom for the data decryption key. Once the threat finishes the encryption process, it displays a ransom message on the PC screen. The note is stored in the file INSTRUCTIONS-README.html and urges victims to pay the ransom.

This article is created to help infected users with the SnakeLocker ransomware removal. In the detailed instructions below you can also find .snake .TGIF file recovery tips.

Threat Summary

Name.snake .TGIF
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer, renames them with .snake or .TGIF file extension and demands 0.1 BTC ransom for the decryption.
SymptomsDisplays a ransom note on the PC screen, corrupts files so they may no longer be openable.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .snake .TGIF


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .snake .TGIF.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Distribution of .snake .TGIF File Virus

The .snake .TGIF file virus authors use various delivery techniques, and spam emails with malicious attachments appear to be a preferred one. Infected file attachments can trick users into opening them and infect their systems with SnakeLocker ransomware. Another way of distribution is suspicious links that lead to web pages with injected malware into their code. Such web links can be presented in spam emails, on social media channels and corrupted online advertisements.

Insight Into .snake .TGIF File Virus

The infection process starts when the ransomware executes its payload on the system. The SnakeLocker ransomware is named after the malicious executable file that triggers the infection process – SnakeLocker.exe and appears to be coded in Python. The threat is also dubbed .snake or .TGIF file virus because SnakeLocker appends one of these two file extensions to all corrupted files.
Firstly, the .snake .TGIF file virus modifies system settings, writes new malicious files and terminates different processes in order to complete the attack. Some files associated with the threat may be situated in the following folders:

  • %Temp%
  • %Windows%
  • %AppData%
  • %Roaming%
  • %User’s Profile%

By using its malicious files SnakeLocker ransomware is likely to touch Windows registry and creates new values in certain keys like Run and RunOnce.

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The values in these keys determine which processes should start automatically whenever the Windows OS. So the ransomware uses them in order to enable its execution each time the user starts the PC. Specific values that support the sudden onset of its ransom note are also created in these keys. The ransom note is a file called INSTRUCTIONS-README.html that depicts the following crafted message:

Your files have been locked!
Your files have been securely encrypted with a top notch, extremely secure encryption algorithm. The only way you can get these files back is to pay a ransom of 0.1 Bitcoins.
To proceed to the next step in this process, download the Tor Browser Bundle here. Open the Tor Browser bundle and proceed to the following link:
This link will give you payment instructions.
Don’t know how to get Bitcoins? No problem. You can buy bitcoins at any of the following websites:
1. https://localbitcoins.com/ (cash)
2. https://buy.bitcoin.com/ (credit card)
3. https://www.coinbase.com/ (bank transfer, credit card)
For more options on purchasing bitcoins, see this article.

.snake .TGIF file virus-snakelocker-ransomware-ransom-note-sensorstechforum

It becomes clear that hackers demand a ransom of 0.1 bitcoins which at this point equals to $276 US Dollars to be transferred to their payment address which can only be accessed through Tor browser. Beware that security researchers reported that SnakeLocker ransomware is in development which means that its code may be broken. Thus there is a chance that the decryption key is lost or broken and won’t work for .snake and .TGIF files decryption.

Additionaly, the .snake .TGIF file virus is believed to cause running the command line:

→Vssadmin delete shadows/for={volume}/oldest/all/shadow={ID of the Shadow}/quiet

This command deletes all Shadow Volume Copies created and stored by the Windows. Due to their lack .snake and .TGIF files cannot be recovered via Shadow Explorer software or Windows System Restore option.

Data Encryption Process

Encryption of valuable user data stored on the infected host is the primary goal of SnakeLocker ransomware. Only after making files unusable it is able to extort the ransom payment. Analyses of its samples reveal that it is likely to search for and encrypt all files that have one of the following file extensions:

→.php, .asp, .txt, .jsp, .avi, .flv, .htm, .js, .eot, .file, .pdf, .mkv, .mov, .mp4, .mpg, .mpeg, .jpg, .swf, .vob, .wmv, .doc, .docx, .docm, .xls, .xlsx, .png, .locky, mid, .wma, .asf, .vob, .fla, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .PAQ, .tar.bz2, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .PPT, .stw, .sxw, .ott, .odt, .pem, .csr, .key, .asc, .wallet.dat, default.wallet, .default_wallet

The ransomware is believed to encrypt files via combination of the strong RSA and AES cipher algorithms. SnakeLocker ransomware has two variants. The first one renames all corrupted files with the malicious extension .snake while the second uses the .TGIF file extension. An unusual strain of .snake .TGIF file virus is that is encrypts files stored in Windows folders that store essential system files. Usually, ransomware authors avoid targeting those folders as corruption of certain system files can break the whole system.

Remove SnakeLocker Ransomware and Restore .snake .TGIF Files

To sum up, ransomware infections like SnakeLocker are among the most devastating malware threats these days. For the sake of PC and personal data security, its removal should be performed as soon as possible. Only after the complete elimination of all malicious files and objects associated with the ransomware some of the alternative data recovery approaches mentioned in the guide below are to be tried. Choose your way to remove the threat, back up all encrypted files and have a go with the .snake and .TGIF files recovery.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share