TotalSystemSecurity.com

Find the Best solution for PC threats

Category: Ransomware

Remove ‘.excuses File Extension’ Ransomware

‘.excuses File Extension’-Threat In Detail

‘.excuses File Extension’ is the Ransomware threat became active on April 2nd, 2018. The name of the ransomware threat is given by the file extension ‘.excuses’ appended by the threat after the encryption been done.
‘.excuses File Extension’ is written on HiddenTear open-source code project. And is being distributed through spam mail attachments and exploits. Once installed, it targets files of various extensions to encrypt data like documents, images, videos, audio, pdfs and many more.

The targeted extensions are:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

After the encryption been done the files are appended with ‘.excuses’ extension. For example: ‘blackpanther.jpg’ is renamed to ‘blackpanther.jpg.excuses’. The encrypted files are no more accessible by any media or applications.
‘.excuses File Extension’ Ransomware deletes the shadow volume copies of the encrypted files and also may hinder the Window’s system recovery feature. The threat reboots the machine after the successfully completion of the encryption process.
‘.excuses File Extension’ Ransomware leaves the ransom note on the desktop of the attacked computer named as ‘MESSAGE.txt’.

The text in the ransom note appears as:
‘Приобрести декриптор можно до 02.04.2018
Запросить стоимость: excuses@protonmail.com
В ТЕМЕ письма укажите ваш ID: [redacted numbers]
Письма без указания ID игнорируются.
Убедительная просьба не пытаться расшифровать файлы сторонними инструментами.
Вы можете их окончательно испортить и даже оригинальный декриптор не поможет.
Заявки обрабатываются автоматической системой.’
Translated into English:
‘You can buy the decryptor before 04/02/2018
Request cost: excuses@protonmail.com
In the subject of the letter, indicate your ID: [redacted numbers]
Letters without an ID are ignored.
Please do not try to decrypt files with third-party tools.
You can ruin them entirely and even the original decryptor will not help.
Applications are processed by an automated system.’

Victims of ‘.excuses File Extension’ Ransomware are instructed to contact the authors to the email address ‘excuses@protonmail.com‘. After that, the authors further instruct the victim on how much ransom to be paid to unlock the files. The ransom should be paid in Bitcoin by transferring them to the said Bitcoin wallet address.
Users are advised not to pay the ransom as there are no any evidences of victims getting back their files after paying the ransom. So its is recommended to try recovering your files from backups and quickly remove ‘.excuses File Extension’ Ransomware from the infected computer.

However, there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of ‘.excuses File Extension’ and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.

(more…)

Remove H34rtBl33d Ransomware and Recover .d3g1d5 file extension

H34rtBl33d-Threat In Detail

H34rtBl33d Ransomware is a file encrypting trojan program that was detected on 30th of March 2018. This crypt-locker threat encrypts most of the files on the attacked system by appending “.d3g1d5” affix after the original file name. The authors of the threat demands ransom 0.1337 in Bitcoins to get the decryption key for the files.

H34rtBl33d Ransomware is managed by group of peoples named as ‘D3g1d5.Cyber.Crew’. They also had a facebook page but was deleted just after the AV vendors started investigating on this threat.
Unlike other ransomware which drops ransom notes, H34rtBl33d Ransomware uses the balloon tip notification that usually appears as pop-ups to deliver any system related notification on the right-bottom corner of the desktop.
The notification states:

Error! Your file could not be opened Please Decrypt Your File Using H34rt8133d Decrypter’ Want Your Files Back? [Click here|BUTTON]’
‘Find out here about H34rt8133d Decrypter and how to return it [Click here|BUTTON]’
‘Cheaper than wannacry!
H34rt8133d very good ransomware in the world
Ransomware With Cheapest Ransom!
FACT! Ransomware that has infected your computer turned out RANSOMWARE WITH THE LOWEST CHOICE. Want your file back? [Click here|BUTTON]

By clicking on the above link, users are redirected to “scorpionlocker.xyz” web page. Further, the webpage instructs the victim to download and install Tor browser,[1] create an account on torbox3uiot6wchz.onion and then contact with the crew of D3g1d5.Cyber.Crew to the email address-”blackpanda007@torbox3uiot6wchz.onion”.
Once the payment is done, then the D3g1d5.Cyber.Crew will provide the decryption key that is kept on a remote server.

But before you agree to pay the ransom, let us aware you that H34rtBl33d Ransomware is poorly scripted and it is no any guarantee that you will get your files back. Thus, security researchers advise not to pay the ransom to the authors of H34rtBl33d and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.

(more…)

Remove Bansomqare Manna Ransomware

Bansomqare Manna-Threat In Detail

Bansomqare Manna is a crypto-malware threat that came out in the middle of the march 2018. This Ransomware threat imitates the appearance as WannaCry crypto-malware and uses the icon similar to legitimate WhatsApp messaging application.
The threat is usually distributed through spam email attachments by breaking the RDP unprotected configuration. Other sources may include: fake updates, third-party downloads, exploit kits, Trojan-invasion and infected installers.

Remove Bansomqare Manna

Once the payload of the threat is successfully dropped, it starts executing its malicious task. And targets data like documents, photos, videos, databases and other files to encrypt them using AES / RSA encryption algorithm.

It may targets the files of following extensions: .avi, .bmp, .dat, .dll, .exe, .gif, .html, .ini, .jpg, .mp3, .pdf, .png, .rar, .xml, and other .

Bansomqare Manna encrypted files are locked with .bitcoin extension. After the encryption been done, it leaves a ransom note named as bitcoin2018.txt that targets English-speaking users:

The message in the file says:
Send $ 100 of bitcoin to worth the the this address: 1DpYkoLa8wsadwgHs4ctkZMA83qMKHw5zD
Contact Us: MildredRLewis@teleworm.us

This is clear from the above note that the extortionist demands a ransom of $ 100 to the given Bitcoin address in order to restore the files. Along with that, it also leaves a file on the desktop screen that confirms about the encryption been done by the Bansomqare Manna Ransomware.

What Happened to the My Computer?
Your important files are encryped.
Many of your documents, photo, video , databases and other files are no longer accessible because he have been encryped.Maybe you are busy looking for a way to recover your files, but do not wasteyour time. Nobody can recover your files without our decryption service.
Can I Recover My File?
Sure, We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free.
The bitcoin address will be saved to the “bitcoin2018.txt” file

However, there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of Bansomqare Manna and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.

(more…)

Remove MOLE66 Ransomware and recover files

MOLE66 Ransomware-Threat In Detail

MOLE66 Ransomware is a file encrypting Trojan variant that was first reported on the end of March 2018. This crypto-malware has got its name by the extension it uses  ‘.MOLE66’, that it appends after encrypting the files. It mostly targets files like documents, photos, texts, presentations, databases, images, videos, and MP3s using strong encryption algorithm.

MOLE66 Ransomware uses the common way of intrusion like other Ransomware which is spam mails embedded with macro-enabled document which once run will drop the payloads of the threat and install it without user’s consent. The installation is done within the Temp folder of the attacked system.

MOLE66 Ransomware drops various file like ‘BC2D64A077.exe’ and ‘uZlQSDe.exe’ on the attacked system.  infected machines. Once installed successfully, the trojan threat is likely to target the file of these extensions:

.aif, .apk, .arj, .asp, .bat, .bin, .cab, .cda, .cer, .cfg, .cfm, .cpl, .css, .csv, .cur, .dat, .deb, .dmg, .dmp, .doc, .docx, .drv, .gif, .htm, .html, .icns, .iso, .jar, .jpeg, .jpg, .jsp, .log, .mid, .mp3, .mp4, .mpa, .odp, .ods, .odt, .ogg,.part, .pdf, .php, .pkg, .png, .ppt, .pptx, .psd, .rar, .rpm, .rss, .rtf, .sql, .svg, .tar.gz, .tex, .tif, .tiff, .toast, .txt, .vcd, .wav, .wks, .wma, .wpd, .wpl, .wps, .wsf, .xlr, .xls, .xlsx, .zip.

The encrypted files are given the blank icon and the files are appended with filename.MOLE66 extension. After encryption been done, it might delete the Shadow volume copies created by Windows to make users unable to recover their files from other means.

The ransom note is a text file named as ‘_HELP_INSTRUCTIONS_.TXT’ that instructs user to contact with the provided mail address at ‘alpha2018a@aol.com’. The text within the ransom note says:

‘!!!All your files are encrypted!!!
What to decipher write on mail alpha2018a@aol[.]com
Do not move or delete files!!!!
—- Your ID: [37 RANDOM CHARACTERS] —-
!!! You have 3 days otherwise you will lose all your data.!!!’

It asks users to pay the ransom using Bitcoin in the given address of the Bitcoin wallet. However, there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of MOLE66 and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.


Methods to remove MOLE66 from the computer

If you have MOLE66 dropped inside, then your computer might also be infected with other spyware and potentially unwanted programs. You can try removing those manually, but manual method may not help you out fully to remove all the threats as they can regenerate itself if a single program code remain inside. Also, manual method requires very much proficiency in registry and program details, ant single mistake can put you in big trouble. Your computer may even crash down in the middle.

Thus, Security researchers and virus experts always recommend using powerful and effective anti-spyware scanner and protector tool to completely remove the spyware or other potentially unwanted software from the infected computer system or other device.

Automatic MOLE66 Removal solution

SpyHunter has got all the feature that can help to remove MOLE66 from the infected computer and also prevent the other threats to attack the device in future. Once SpyHunter starts to run in the background, it will keep up notified if any threat or PUP tries to enter. Another feature of SpyHunter is that, whenever you install any new program it will Dangerous scan the program and if it is not from any trusted source, it will notify you. Thus you can choose yourself either to go through the next installation step or stop right there.

Scan for MOLE66 Ransomware virus On the computer.

Important: Before you start any removal process, we highly recommend you to backup rest of your data to cloud to prevent your important files and documents from getting lost, the best recommended option is to store your data over the cloud. Download ZipCloud which is very Successful for both MAC and windows PC based computers. It will keep your data safe as well as secure from cyber threats. ZipCloud also has features of Sync and Backup to Mobile and Tablet apps (Android included).

zipcloud

 

Step:1 (Recommended) MOLE66 virus may not allow you to download and Install any security program so “Dangerous Reboot your PC in the Safe mode” and then try downloading the Spyhunter.exe program from the download button below:

booturpcdownloadbutton

SpyHunter 4 Features

Spyhunter 4 Compact OS allows your computer system to boot without windows so removal of malware and other stubborn infections may be easy.http://totalsystemsecurity.com/wp-content/uploads/2015/10/Spyhunter-1.jpg
Spyhunter System Guards will identify and block any malicious processes in real-time. Besides it allow to take full control of all processes that run on your computer.Scanning-SpyHunter

Spyhunter Scan

The brand new advantage of the software is this feature providing the list of even the most malicious malware. After a complete and advanced system scan is conducted, the user can quickly have all system threats removed – even the ones which were not found by other anti-spyware programs.Spyware-HelpDesk

Spyware-HelpDesk
It is important to emphasize that the systems having Spyhunter installed are protected from all types of existing malware. The program traces and completely deletes adware, spyware, keyloggers, rootkits and other threats including trojans and worms. None of the malware is now able to steal your personal data and use it against you.

It is very important to protect your system from future attacks. You can do it by Downloading Ransomware Defender that deals with known ransomware in a way no other solution can. Specially designed for detecting and blocking ransomware prior to any damage, Ransomware Defender blacklists and stops both common and unique ransomware. Once installed, Ransomware Defender stands guard 24/7 utilizing active protection algorithms enhanced with user-friendly alerts and notifications system.
Ransomware Defender is fully automated, taking care of all threats via an advanced Scan > Detect > Lock Down mechanism that proactively stands guard to detected threats, and works alongside all main anti viruses and anti-malware products!

MOLE66 Ransomware

Ransomware Defender also features a scheduled automatic scan, secured file eraser, lifetime updates and support!

Ransomware defender2 download

Manually Remove MOLE66 using System Restore

Step:-1 Reboot your computer in “Safe Mode with Command Prompt”

windows-xpWindows 7 / Vista / XP

  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window
  • Select Command Prompt from the list
  • Once the Command Prompt window shows up, enter “cd restore and click Enter.
  • Now type rstrui.exe and press Enter again..

 

windows-8Windows 8 / Windows 10

  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
  • Once the Command Prompt window shows up, enter “cd restore and click Enter.
  • Now type rstrui.exe and press Enter again..

Step2 (Manual Way):-After that a new window will open up, now you have to click Next and select your restore point. Note the restore point should be the date before the attack of MOLE66. After that click Next.

  • Select the Restore point and click “Next”
  • Now click Yes to start system restore.

Now Reboot the computer and run the scanner to detect any threat or suspicious program remaining inside. If you are not satisfied with the results and still see the issues, We recommend using the automatic MOLE66 Removal Tool for complete removal.

booturpcdownloadbutton

Step2 (Automatic Clean up of Registry):- 3 Remove all Registry Entries added by MOLE66

We Recommend you the Regcure which features a complete suite of easy-to-use fixing, cleaning and optimizing tools that can increase speed and peak performance.

regcuredownload

regcuresystemscanregcure1 regcuresettings regcuretools

How to Recover Encrypted files

Step:-4 The most important one is to recover the encrypted files.

However you can do it manually, if you have any backup or from previous versions of windows called shadow copies. If don’t have any of them then try recovering your important files from Advanced Stellar Windows Recovery Tool.

Click here to Download the Recover the encrypted files with Data Recovery tool

win-data-rec-home1

Now Reboot the computer and run the scanner to detect any threat or suspicious program remaining inside. If you are not satisfied with the results and still see the issues, We recommend using the automatic MOLE66 Removal Tool for complete removal.

booturpcdownloadbutton

For MAC users it is recommended to Download MACKEEPER-3 easy steps to clean your Mac!

mackeeperbanner_300x250_1_1430304696
Just follow 3 steps to Remove all unwanted programs from your PC along with optimizing Your MAC OS.

  • Download MacKeeper to your Mac.downloadmac
  • Follow two easy steps to install MacKeeper.downloadscreen_9_2_en
  • Drag the MacKeeper icon from the Applications folder to your Dock.

mackeeper-system-scanMacKeeper will start a system scan on your MAC PC and will present the full report of the scan.


Experts Guide To Prevent Future Attacks

The following steps will guide you to reduce the risk of infection further.

  • Scan all files with an Internet Security solution before transferring them to your system.
  • Only transfer files from a well known source.
  • Always read carefully the End User License agreement at Install time and cancel if other “programs” are being installed as part of the desired program.
  • When visiting a website, type the address directly into the browser rather than following a link.
  • Do not provide personal information to any unsolicited requests for information.
  • Don’t open attachments or click on Web links sent by someone you don’t know.
  • Keep web browser up to date and computer is configured securely.

Get back to..

MOLE66 Overview

Technical Details of MOLE66

Automatic MOLE66 Removal solution

Recover Encrypted Files


****For MAC users it is recommended to Download MACKEEPER-3 easy steps to clean your Mac!****

****For Windows users it is recommended to Download Spyhunter most trusted Anti-spyware ****

Save

Remove SilentSpring Ransomware and restore .Sil3nt5pring files

SilentSpring-Threat In Detail

SilentSpring Ransomware is yet another ransomware threat that strikes on the computer system without user’s consent and encrypt important file on it. Like other of its kind, this one also aims to extort money from users by victimizing them and plying them with their privacy. The encrypted file may get .Sil3nt5pring extension which means the files are no more accessible to users. And the only way to unlock the files is to pay the ransom to the authors of SilentSpring. The ransomware leaves a ransom note that contains the instructions on how to contact the authors and pay the said amount.

The Ransomware threat uses the common way of intrusion like other Ransomware which is spam mails embedded with macro-enabled document which once run will drop the payloads of the threat and install it without user’s consent. The document attached could appear from any legit source, company or any invoice. Other sources through SilentSpring Ransomware could attack is downloading fake patches of code, updating applications from unverified links and so on.

Once installed successfully, SilentSpring Ransomware uses AES-256 enciphers to encode the files like documents, images, music, videos, databases, spreadsheets, eBooks, PDFs and presentations. The encrypted files are given the white icon and the .Sil3nt5pring extension after the original file name.

File extension targeted by SilentSpring Ransomware

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

After encryption been done, it deletes the Shadow volume copies created by Windows to make users unable to recover their files from other means.

However, there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of SilentSpring and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.

(more…)

BlackRuby Ransomware Removal Instruction

BlackRuby-Threat In Detail

BlackRuby Ransomware is the first Ransomware threat that integrates cryptocurrency mining component. This means that along with encrypting files on the attacked computer system, the threat will also employ the system’s CPU resources to mine for crypto-mining.

The Ransomware threat uses the common way of intrusion like other Ransomware which is spam mails embedded with macro-enabled document which once run will drop the payloads of the threat and install it without user’s consent. Using the same distribution method example are:‘.justice File Extension’, Xorist-Frozen Ransomware, LockMe Ransomware, Dream_dealer@aol.com and many others.

Once installed successfully, BlackRuby Ransomware uses AES-256 and RSA-2048 enciphers to encode the files like documents, images, music, videos, databases, spreadsheets, eBooks, PDFs and presentations. The encrypted files are given the white icon and the ‘Encrypted_%[random characters]%’ extension. After encryption been done, it deletes the Shadow volume copies created by Windows to make users unable to recover their files from other means.

Meanwhile, BlackRuby ransom threat drops the updated version of “XMRig” and connects to the “h[tt]ps://www.monero[.]how” URL to mine for Monero coins. However, researchers claim that the ransomware deletes its files after data is been encrypted and presents the ransom note for the victims to know about the encryption. The XMRig tool keeps running within the attacked system to continue the mining process and earn huge profit. XMRig is installed within the AppData directory.

The ransom note is a text file named as ‘how-to-decrypt-files.txt’ that instructs user to buy ‘Black Ruby Decryptor’ by paying 650 USD worth of Bitcoin in the given address of the Bitcoin wallet. The victims may communicate with the authors with the provided email address ‘TheBlackRuby@Protonmail.com’.

The ransom note by BlackRuby Ransomware reads as:

‘Black Ruby
=== Identification Key ===
[redacted] === Identification Key ===
[Can not access your files?] Congratulations, you are now part of our family #BlackRuby Ransomware. The range of this family is wider and bigger every day.
Our hosts welcome our presence because we will give them a scant souvenir from the heart of Earth.
This time, we are guest with a new souvenir called “Black Ruby”. A ruby in black, different, beautiful, and brilliant, which has been bothered to extract those years and you must also endure this hard work to keep it. If you do not have the patience of this difficulty or you hate some of this precious stone, we are willing to receive the price years of mining and finding rubies for your relief and other people of the world who are guests of the black ruby.
So let’s talk a little bit with you without a metaphor and literary terms to understand the importance of the subject.
It does not matter if you’re a small business or you manage a large organization, no matter whether you are a regular user or a committed employee, it’s important that you have a black ruby and to get rid of it, you need to get back to previous situation and we need a next step.
The breadth of this family is not supposed to stop, because we have enough knowledge and you also trust our knowledge.
We are always your backers and guardian of your information at this multi-day banquet and be sure that no one in the world can take it from you except for us who extracts this precious stone.
We need a two-sided cooperation in developing cybersecurity knowledge. The background to this cooperation is a mutual trust, which will result in peace and tranquility, you must pay $650 (USD) worth of Bitcoins for restore your system to the previous state and you are free to choose to stay in this situation or return to the normal.
Do not forget that your opportunity is limited. From these limits you can create golden situations. Be sure we will help you in this way and to know that having a black ruby does not always mean riches. You and your system are poor, poor knowledge of cybersecurity and lack of security on your system!.
===
[HOW TO DECRYPT FILES] 1. Copy “Identification Key”.
2. Send this key with two encrypted files (less than 5 MB) for trust us to email address “TheBlackRuby@Protonmail.com”.
3. We decrypt your two files and send them to your email.
4. After ensuring the integrity of the files, you must pay $650 (USD) with bitcoin and send transaction code to our email, our bitcoin address is “19S7k3zHphKiYr85T25FnqdxizHcgmjoj1”.
5. You get “Black Ruby Decryptor” Along with the private key of your system.
6. Everything returns to the normal ana your files will be released.
===
[What is encryption?] Encryption is a reversible modification of information for security reasons but providing full access to it for authorised users.
To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an “Personal identification Key”. But not only it. It is required also to have the special decryption software (in your case “Black Ruby Decryptor” software) for safe and complete decryption of all your files and data.
[Everything is clear for me but what should I do?] The first step is reading these instructions to the end. Your files have been encrypted with the “Black Ruby Ransomware” software; the instructions (“how-to-decrypt-files.txt”) in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the internet the words the “Black Ruby Ransomware” where they find a lot of ideas, recommendation and instructions, it is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.
[Have you got advice?] [*** Any attempts to get back you files with the third-party tools can be fatal for your encrypted files ***] The most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files.
Finally it will be impossible to decrypt your files, when you make a puzzle but some items are lost, broken or not put in its place – the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the Black Ruby Ransomware” software may be fatal for your files.
If you look through this text in the internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support.’

However, you should not trust BlackRuby Ranomware and their authors. As there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of BlackRuby and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs. Also, it will make your system compromised by consuming all the resources for mining process. Quickly remove this ransomware along with XMRig mining component.

(more…)

‘.justice File Extension’ Ransomware Removal Guide

‘.justice File Extension’-Threat In Detail

‘.justice File Extension’ Ransomware is another variant of Jigsaw ransomware threat that successfully encrypted data on the attacked PC and earned huge profit by demanding ransom.

‘.justice File Extension’ Ransomware is the name given as the encrypted files by the threat receives ‘.justice’ extension. The threat make use of AES-256 encryption algorithm to encode data and then applies more advanced encipher RSA2-2048 to the files cipher to make impossible for the users to decode the files and force them to pay the ransom.

‘.justice File Extension’ Ransomware is distributed through spam bots that contains the payloads of the infection and once user open and runs the macro-enabled script, then the threat gets installed successfully on their system.

File extensions encrypted are:
PDF, DOCX, DOC, PPTX, PPT, XLS, XLSX, MP3, MP4, AVI, DB, SQLITEDB, MDB, JPEG, JPG, PNG, BMP and MKV

After encrypted, ‘.justice File Extension’ Ransomware appends ‘.justice’ extension to the files and leaves a ransom note in Turkish language that is displayed on the windows Screen.
The text appears as:

BU PROGRAM AÇILDIYSA TÜM SİSTEM DOSYALARINIZ KiLiTIENMİSTİR. BU KİLİDİ AÇABİLMENİZ İÇİN TEK GEREKEN SEV PARADIR
KORKMAYIN BU PARA SİZİN DEĞİLDİR. SİZDEN İSTEMİ$ OLDUĞUMUZ PARA BU ZAMANA KADAR ÇALI$TIRDIĞINIZ İNSANLARIN EMEKLERİNDEN CALDIĞINIZ PARADIR ENDİ$ELENECEK BİR DURUM YOKTUR.
SİZLERE BU KONUYU DOWNMENİZ İÇİN VAKİT TANIYORUZ. VAKTİNİZİN BEDELİ OLARAK HER DAKİKA 1 DOSYA SİLİNECEKTİR EĞER DOSYALARINIZIN BİR ÖNEMİ YOK İSE TÜM DOSYALARINIZI SiLEBİLİRSİNİZ. HERHANGİ BİR BEDEL ÖDEMEK ZORUNDA DEĞİLSİNİZ.
DOSYALARINIZI KURTARMAK İÇİN A$AĞIDAKi TALİMATLARI TAKİP EDİNİZ.
ÖDEME YALNIZCA BİTCOİN OLARAK ALINACAKTIR. HERHANGİ BİR SORUN İÇİN BiZiMIE ilETİSİME GECEBİLİRSİNİZ’

The ‘.justice File Extension’ Ransomware is also reported to delete the Shadow Volume Copies and erase system restore points if any saved by the user. So that the victims are left with no other option than to pay the ransom and get their files decoded.

However, there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of ‘.justice File Extension’ and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.

(more…)

Xorist-Frozen Ransomware Removal Guide

Xorist-Frozen Description

Xorist-Frozen Ransomware is the revised version of Xorist Ransomware which was prevailing in 2016. The security researchers have found its newer version out again in feb 2018.

Xorist-Frozen Ransomware is nowhere different from LockMe Ransomware and is aimed to encrypt data and files found on the victims PC and append them with ‘.frozen_service_security@scryptmail.com’ extension. For example, ‘blackcat.jpg’ is renamed to ‘blackcat.jpg.frozen_service_security@scryptmail.com.’ After the data been encrypted, Xorist-Frozen Ransomware leaves a ransom note named as ‘HOW TO DECRYPT FILES.txt’ on their desktop and the drives were encryption been done.

The ransom note reads as:

‘All your important files were FROZEN on this computer.
Encryption was produced using unique KEY generated for this computer.
To decrypted files, you need to obtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 36 hours after encryption completed.
REMEMBER YOU HAVE ONLY 24 HOURS TO PAY EVERYTHING IS AUTOMATICALLY!
To retrieve the private key, you need to pay 0.5 bitcoins
Bitcoins have to be sent to this address: 3N8FxD8y3AKKPZaUBuypw55YYSswmECPxh
After you’ve sent the payment send us an email to : frozen_service_security@scryptmail[.]com with subject : ERROR-ID-63100888(0.5BTC)
If you are not familiar with bitcoin you can buy it from here :
SITE : www[.]localbitcoin[.]com
After we confirm the payment , we send the private key so you can decrypt your system.’

The authors of the Ransomware instructs the victims to contact them on the provided email address “frozen_service_security@scryptmail.com”. It means that the authors makes use of Scryptmail.com mail service to communicate within.

Users may get this infection generally when users open any solicited email attachment containing macro-enabled document containing the payloads of the malware. Thus users must be cautious while opening any such attachments or downloading any freeware programs from untrusted links.

However, there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of Xorist-Frozen and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.

(more…)

Remove LockMe Ransomware and restore .lockme extension

LockMe Ransomware Description

LockMe Ransomware is a file-encrypting malware program that is out in the wild and was first detected on 2nd Feb, 2018. Security researchers had reported that the threat uses AES-256 and RSA-2048 encryption algorithm to encode files on the attacked PC and appends ‘.lockme‘ extension to the encrypted files.

It is analyzed that the LockMe Ransomware mostly targets English and Russian-speaking users. And is distributed through phishing email campaigns similar like Dream_dealer@aol.com Ransomware. Unfortunately, if the user downloads the infected mail attachment that is actually a macro-enabled document containing the payloads of the virus. Upon clicking, the document starts running the script and LockMe Ransomware gets installed on the attacked computer system.

After installed, LockMe Ransomware searches for the important documents, photos, video, audio, databases, PDFs and other local drives. The infection uses AES cipher to transcode the data that are locked by the filename and the‘.lockme’ suffix. For example, blackcat.jpg is renamed to blackcat.jpg.lockme.

After the encryption process been done, then the Ransomware drops a file named as ‘README_FOR_DECRYPT_YOUR_FILES.txt’ on the desktop and the encryption locations.

The ‘README_FOR_DECRYPT_YOUR_FILES.txt’ file reads as:

‘All of your files have been Encrypted with military grade system and impossible to brute force, cracking, or reverse engineering it !
If you want all of your files back send me 0.03 BTC .
[+] Your Unique ID : [RANDOM CHARACTERS]
[+] Send BTC To This Address : 1LockMeEPLr4ZRsoht8Wp6idBsT5TuBXtX
[+] Send BTC : 0.03 BTC
[+] Contact Email : LockMecQqL3Ruyi7V0RfZ@tutamail.com | LockMe9hG1F7pbWqThUt9P8@mailfence.com
*) Don’t try change the ‘.lockme’ extensions , if you change it , your all files can be broken and can’t be restored forever .
*) If you’ve made a payment contact LockMecQqL3Ruyi7V0RfZ@tutamail.com | LockMe9hG1F7pbWqThUt9P8@mailfence.com .
*) If you not made a payment all of your private files will be leaked on internet (private photos, documents, videos, and more) .
Question : How to buy Bitcoin ?
Answer : You can buy Bitcoin at this Website : bitcoin.com , coinbase.com , cex.io , paxful.com , coinmama.com , etc .
[+] Your IP : [YOUR REAL IP ADDRESS]
[+] Your ID : [RANDOM CHARACTERS]’

According to the ransom note, the authors demands 0.3 Bitcoin (1815 USD/1461 EUR) as ransom. LockMe Ransomware describes it as the ‘LockMe Decryptor’ software which means after paying the amount amount the user will be provided with the decryption key to decode the locked files.

However, there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of LockMe and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.

(more…)

Dream_dealer@aol.com Ransomware Removal

Dream_dealer@aol.com-Threat In Detail

Dream_dealer@aol.com is a file-encrypting Ransomware threat. Security researchers have found it be a variant of Globe Imposter Ransomware that was very much active in 2017.

Dream_dealer@aol.com Ransomware is distributed through spam mail attachments containing payloads of the threat. The attachments contains the macro-enabled document that allows the download of the ransomware threat on the computer system.

Dream_dealer@aol.com Ransomware

Once the Dream_dealer@aol.com Ransomware successfully installed, it momentarily starts the encryption process. And the encrypted data are locked with ‘.DREAM’ extension. For example, ‘myhomepics.jpeg‘ is renamed to ‘myhomepics.jpeg.DREAM.’ The ransomware targets the documents, images, video and audio files, PDFs and databases to encrypt them and append with .DREAM extension. (more…)

Welcome To TotalSystemSecurity.com, we will provide users with latest news and information about computer threats like Adware, Spyware, Trojan, Browser Hijacker and Ransomeware. Here at TotalSystemSecurity.com, you will get all minute information about latest threats and manual removal instructions. We Hope our guides and articles help you troubleshoot your PC issues.

TotalSystemSecurity © 2015-2018