Termite Virus Removal – Restore .aaaaaa Files

Termite Virus Removal – Restore .aaaaaa Files

Termite Virus image ransomware note .aaaaaa extension

Termite virus is a recently discovered ransomware which contains code taken from various popular hacker weapons. It uses a strong cipher to process user data according to a built-in list of target file types, they are renamed with the .aaaaaa extension. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.

Threat Summary

NameTermite virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .aaaaaa extension and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Termite virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Termite virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Termite Virus – Distribution Ways

The Termite virus has been spotted in a limited test campaign. It appears that the current attacks appear to target computers users worldwide. The criminals can use various techniques in order to maximize the number of infected hosts.

A popular method is to coordinate SPAM email campaigns containing various social engineering tactics. They are designed to appear as legitimate notifications such as password reminders, software update messages and etc. The associated Termite virus files can be directly attached or linked in the body contents.

Another technique is the use of download portals that imitate the legitimate vendor download sites and popular Internet portals.

Together with the emails these two methods are the primary methods for spreading infected payload carriers. Two example types are the following:

  • Macro-Infected Documents — The hackers can embed the virus payload into document files of various types: presentations, rich text files, spreadsheets and databases. Whenever they are opened a notification prompt will appear asking them to enable the built-in scripts. If this is done the virus infection will begin.
  • Application Installers — The scripts leading to the Termite virus infection can be bundled in installers for popular applications, updates, plugins and etc. The criminals often choose software that is popular with end users: creativity suites, system utilities and etc.

The fake download pages, emails and other content that may deliver the threat can make use of various scripts — redirects, pop-ups, banners, in-line links and etc.

Advanced infection campaigns can be achieved through the installation of browser redirects — they are malicious plugins made for the most popular web browsers. The criminals usually spread them on the various repositories or download portals. The hackers post the entries with fake user reviews or developer credentials in order to coerce the users into downloading them. An usual method is to promise them new features or browser enhancements that are not typically found on the standard browsers. One of the first actions done afer the infection is to redirect the victim users to a hacker-controlled site. This is done by changing the default settings — home page, search engine and new tabs page. After this is done the virus files will be deployed to the systems.

Termite Virus – In-Depth Analysis

The security analysis of the Termite virus shows that the code contains samples from various different threats: a generic coin miner, the XiaaoBa ransomware and typical virus operations. This shows that the criminals behind it may have been customizing their own variant or have ordered it from the underground hacker markets. The inclusion of XiaoBa code shows that one of the target groups may be Chinese speaking users. However to this date the infections seem to target users on a worldwide scale.

The modular engine can be fine tuned according to each campaign. It contains several different components that are called in stages. One of the first actions conducted by it is an information hijacking command. It can search and identify for strings that are grouped into two main categories:

  • Personal Information — The engine can be programmed into harvesting data that can expose the identity of the victims. The collected information usually consists of their name, address, phone number, location and any stored account credentials. The data can be used for various identity theft and financial abuse crimes.
  • Campaign Metrics — The analysis shows that the Termite virus engine also scans for specific operating system values and installed hardware components.

The analysis shows that the built-in engine may exhibit certain stealth protection features. This means that it scan for the presence of certain anti-virus programs, sandbox environments or virtual machine hosts. Their real-time engines will be blocked or entirely removed to evade potential discovery of the infection.

Following this the virus engine will be able to freely commit various system changes. They include hookups to system or application processes which allows the Termite Virus to harvest and manipulate strings and user commands in them. Further manipulations can include changes to the Windows Registry. This can affect both user-installed applications and the operating system as a whole. This can result in the inability to execute certain processes or cause overall performance issues. When combined with boot menu modifications it can lead to a persistent state of installation — this means that it will start automatically once the computer is powered on. Usually this also results in the inability to start the recovery menu which renders many manual removal instructions useless.

Many of the infections can be programmed into deleting System Restore files — both Shadow Volume Copies and Restore Points can be removed. Effective restore operations can be made only when used in combination with a professional-grade recovery solution. Refer to our instructions for more details.

The Termite virus can also interact with the Windows Volume Manager — this allows it to access any removable storage devices and network shares. As a result this can be used as a powerful method for infecting whole networks. If configured so the ransomware can also deliver a Trojan horse infection. It can set up a secure connection to a hacker-controlled server. It allows the criminals to spy on the victims in real time, steel user data and take over control of their machines.

The security analysis shows that some of the Termite Virus infections can lead to the deployment of cryptocurrency minres. They are special applications that take advantage of the available system resources in order to carry out complex infections. When they are reported to a special server (mining pool) the hacker operators will receive rewards in the form of digital currency (Bitcoin, Monero and others).

Termite Virus — Encryption

Upon the completion of all prior modules the ransomware engine will be started. Like most typical strains it uses a built-in list of target data which are to be encrypted with a strong cipher. A typical list will target the following file types:

  • Archives
  • Databases
  • Backups
  • Images
  • Videos
  • Music

All victim data will be renamed with the .aaaaaa. Instead of a tradiitonal ransomware note the threat will present a lockscreen instance. It may block the ordinary interaction with the computer until it is removed.

Remove Termite Virus and Restore Encrypted Files

If your computer system got infected with the Termite Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share