A ransomware virus, named Teamo has been reported to encrypt the files on the infected computers and set a ransom note stating the files on the computer have been encrypted in Spanish. The virus, also calling itself Zika wants victims to contact the questionable Zika in order to restore files by paying a hefty ransom fee. If your computer has been infected by this ransomware infection, recommendations are to immediately remove it and restore files encrypted with .teamo extension by using the information in this article.
|Name||.Teamo files virus|
|Short Description||Aims to encrypt the files on the computers it infects , making them unopenable and then ask victims to pay a hefty ransom fee to have their files recovered.|
|Symptoms||Files are encrypted with the .teamo file extension and the wallpaper is changed with the ransom note.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by .Teamo files virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .Teamo files virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Teamo Ransomware – Infection Methods
The Teamo ransomware virus may use a malicious script to cause an infection. It may be embedded in an executable type of file or in a document via malicious macros. Either way, the file is sent to victims via e-mail and it’s end goal is to get them to download and open it. The e-mails may conceal the actual file and make it resemble a legitimate document, such as:
- Banking statement.
- Order information.
The attachment may either be uploaded In a .ZIP or .RAR archive or may be uploaded in an online file sharing site, such as Dropbox or others. It is often accompanied by a deceitful message, that seems legitimate, for example:
Teamo Ransomware – How Does It Work
Teamo ransomware is a virus created by someone with the nickname Zika. The malware is believed to be an EDA2 ransomware variant, since it’s main executable has the same name.
When an infection with Teamo ransomware takes place, the virus aims to perform various activities on your computer, starting with connecting to the command and control server to download it’s payload on the computer of the victim. It consists of the following files:
- It’s main executable, named eda2.exe.
- A randomly named .exe file.
- It’s ransom note image.
The ransom note image has a ransom note demanding victims to contact Zika for payment. It is shown on the image below:
Text from image:
Tus Archivos Has Sido Encryptados
(Your files have been encrypted)
Tus archivos has sido encryptados, lo que sighifica que ya no puedes abrirlos. Debo decir que no existe manera que los podamos recoperar :(… Mentira, contactame. Zika
Your files have beeh encrypted, which means you can not open them any more. I must say there is no way that the recipes :(…
Lie, contact me. Zika
Atte. Your Friend Zika
After the malicious files of this infection have been dropped on the computer of the victim, the Teamo ransomware changes it’s ransom note image as a wallpaper and may attack the Windows registry editor of the infected computer, more particularly the Run and RunOnce registry sub-keys, located in:
In thos sub-keys, the Teamo virus may add value entries with data in them, poining to the malicious executables of the ransomware. This results in the virus files running automatically when you start Windows, so restarting your computer after infection with Teamo ransomware is not advisable.
In addition to modifying the Windows registry sub-keys, Teamo ransomware may also be configured to run a batch script as an administrator on the victim’s computer. This script may run a command as an administrator in Windows Command Prompt, which eventually results in deleting the volume shadow copies of the infected computer. The commands which may be executed with different parameters without the victim noticing are the following:
.Teamo Files Virus – Encryption Process
To encrypt file on the computers it has infected, the Teamo ransomware uses the Advanced Encryption Standard cipher, which is also known as AES. This cipher renders portion of the targeted for encryption files after which replaces it with symbols from the encryption algorithm. The process ends with the generation of a unique decryption key which can revert the encryption process.
Teamo ransomware may target only specific files for encryption such as the following:
- Audio files.
- Adobe documents.
As soon as the files have been encrypted, the teamo ransomware sets the .teamo file extension to them, making them appear in proximity to what the image below looks like:
Remove Teamo Ransomware and Restore Encrypted Files
If you want to remove this ransomware virus from your computer system, we recommend that you focus on removing the infection by using the instructions below. They are divided in manual and automatic removal instructions, whose primary purpose is to help isolate and remove the virus from your computer. For maximum effectiveness during the removal of Teamo ransomware, recommendations are to remove this virus automatically using advanced anti-malware software, which will make sure that the virus is removed fully and your system is protected against future infections as well.
If you want to restore files that have been encrypted by this ransomware virus, we recommend that you try to use the alternative recovery methods down below in step “2. Restore files encrypted by Teamo” below.