.snake .TGIF File Virus (Remove + Restore Data)
THREAT REMOVAL

.snake .TGIF File Virus (Remove + Restore Data)

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by .snake .TGIF and other threats.
Threats such as .snake .TGIF may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

.snake .TGIF file virus-snakelocker-ransomware-ransom-note-sensorstechforum

New ransomware sample has been discovered by security researchers. It is given the name SnakeLocker and appears to be in development. The threat is associated with two malicious extensions .snake and .TGIF that rename corrupted files. The .snake .TGIF file virus aims to encrypt valuable data stored on the infected PC and then blackmail victims into paying 0.1 BTC ransom for the data decryption key. Once the threat finishes the encryption process, it displays a ransom message on the PC screen. The note is stored in the file INSTRUCTIONS-README.html and urges victims to pay the ransom.

This article is created to help infected users with the SnakeLocker ransomware removal. In the detailed instructions below you can also find .snake .TGIF file recovery tips.

Threat Summary

Name.snake .TGIF
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer, renames them with .snake or .TGIF file extension and demands 0.1 BTC ransom for the decryption.
SymptomsDisplays a ransom note on the PC screen, corrupts files so they may no longer be openable.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .snake .TGIF

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .snake .TGIF.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Distribution of .snake .TGIF File Virus

The .snake .TGIF file virus authors use various delivery techniques, and spam emails with malicious attachments appear to be a preferred one. Infected file attachments can trick users into opening them and infect their systems with SnakeLocker ransomware. Another way of distribution is suspicious links that lead to web pages with injected malware into their code. Such web links can be presented in spam emails, on social media channels and corrupted online advertisements.

Insight Into .snake .TGIF File Virus

The infection process starts when the ransomware executes its payload on the system. The SnakeLocker ransomware is named after the malicious executable file that triggers the infection process – SnakeLocker.exe and appears to be coded in Python. The threat is also dubbed .snake or .TGIF file virus because SnakeLocker appends one of these two file extensions to all corrupted files.
Firstly, the .snake .TGIF file virus modifies system settings, writes new malicious files and terminates different processes in order to complete the attack. Some files associated with the threat may be situated in the following folders:

  • %Temp%
  • %Windows%
  • %AppData%
  • %Roaming%
  • %User’s Profile%

By using its malicious files SnakeLocker ransomware is likely to touch Windows registry and creates new values in certain keys like Run and RunOnce.

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

The values in these keys determine which processes should start automatically whenever the Windows OS. So the ransomware uses them in order to enable its execution each time the user starts the PC. Specific values that support the sudden onset of its ransom note are also created in these keys. The ransom note is a file called INSTRUCTIONS-README.html that depicts the following crafted message:

Your files have been locked!
Your files have been securely encrypted with a top notch, extremely secure encryption algorithm. The only way you can get these files back is to pay a ransom of 0.1 Bitcoins.
To proceed to the next step in this process, download the Tor Browser Bundle here. Open the Tor Browser bundle and proceed to the following link:
****************.onion/decrypt.php
This link will give you payment instructions.
Don’t know how to get Bitcoins? No problem. You can buy bitcoins at any of the following websites:
1. https://localbitcoins.com/ (cash)
2. https://buy.bitcoin.com/ (credit card)
3. https://www.coinbase.com/ (bank transfer, credit card)
For more options on purchasing bitcoins, see this article.

.snake .TGIF file virus-snakelocker-ransomware-ransom-note-sensorstechforum

It becomes clear that hackers demand a ransom of 0.1 bitcoins which at this point equals to $276 US Dollars to be transferred to their payment address which can only be accessed through Tor browser. Beware that security researchers reported that SnakeLocker ransomware is in development which means that its code may be broken. Thus there is a chance that the decryption key is lost or broken and won’t work for .snake and .TGIF files decryption.

Additionaly, the .snake .TGIF file virus is believed to cause running the command line:

→Vssadmin delete shadows/for={volume}/oldest/all/shadow={ID of the Shadow}/quiet

This command deletes all Shadow Volume Copies created and stored by the Windows. Due to their lack .snake and .TGIF files cannot be recovered via Shadow Explorer software or Windows System Restore option.

Data Encryption Process

Encryption of valuable user data stored on the infected host is the primary goal of SnakeLocker ransomware. Only after making files unusable it is able to extort the ransom payment. Analyses of its samples reveal that it is likely to search for and encrypt all files that have one of the following file extensions:

→.php, .asp, .txt, .jsp, .avi, .flv, .htm, .js, .eot, .file, .pdf, .mkv, .mov, .mp4, .mpg, .mpeg, .jpg, .swf, .vob, .wmv, .doc, .docx, .docm, .xls, .xlsx, .png, .locky, mid, .wma, .asf, .vob, .fla, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .PAQ, .tar.bz2, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .PPT, .stw, .sxw, .ott, .odt, .pem, .csr, .key, .asc, .wallet.dat, default.wallet, .default_wallet

The ransomware is believed to encrypt files via combination of the strong RSA and AES cipher algorithms. SnakeLocker ransomware has two variants. The first one renames all corrupted files with the malicious extension .snake while the second uses the .TGIF file extension. An unusual strain of .snake .TGIF file virus is that is encrypts files stored in Windows folders that store essential system files. Usually, ransomware authors avoid targeting those folders as corruption of certain system files can break the whole system.

Remove SnakeLocker Ransomware and Restore .snake .TGIF Files

To sum up, ransomware infections like SnakeLocker are among the most devastating malware threats these days. For the sake of PC and personal data security, its removal should be performed as soon as possible. Only after the complete elimination of all malicious files and objects associated with the ransomware some of the alternative data recovery approaches mentioned in the guide below are to be tried. Choose your way to remove the threat, back up all encrypted files and have a go with the .snake and .TGIF files recovery.

Note! Your computer system may be affected by .snake .TGIF and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as .snake .TGIF.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove .snake .TGIF follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove .snake .TGIF files and objects
2. Find files created by .snake .TGIF on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by .snake .TGIF
Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections. She believes that in times of constantly evolving dependency of network connected technologies, people should spread the word not the war.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...