WannaLocker Ransomware

WannaLocker Targets Android Users in China! It’s a Copycat of WannaCry

WannaLocker Ransomware

Cloning WannaCry, a new ransomware named Wannalocker is being spread in China increasing. The new ransomware, Wannalocker is preying on Android OS through gaming forums impersonating itself as “King Of Glory” plugin.

The ransomware was first recognized by Qihoo 360, a Chinese security firm, while Avast detected it and coined it as WannaLocker. WannaLocker clones most of its features from the widespread WannaCry encrypting files on external storage of the Android device that it hit. This is not the first time Android users have been targetted. Earlier, I posted about a malicious app that was found on Google Play which was spreading Ransomware.

WannaLocker Ransomware

Image Credits: Blog.Avast.com

How Does WannaLocker Work?

Unlike WannaCry, WannaLocker is targeting specific file types that include files that are bigger than 10 KB and that begin with “.” character; and ignores the ones with “DCIM”, ”miad” and “com” in their path After it has entered the device, it encrypts files while staying hidden in the app drawer.

The ransom amount that is being demanded by WannaLockers to decrypt the files is 40 Chinese Renminbi which is worth US$ 5-6 approximately to be paid through QQ, Alipay or WeChat. The amount is far less than what was demanded by other such ransomware and we can note from this that hackers do not have a specific target but want to make money and fast. Given the intelligence agencies and security firms in China, it wouldn’t be hard to trace the money and catch the hackers.

WannaLocker Android Ransomware China Attack

Image Credits: Blog.Avast.com

WannaLocker Can Spread All Over the World, Beware!

Although the virus has just hit China, for now, it may spread far. Having a good protection of you data and files is always a good idea, no wonder when more such ransomware hit your device demanding bigger ransom amounts. Although we can never really tell how and when will another ransomware bypass your security, here are few tips and measures for you to be protected against such malware.

  1. Ensure your data and files, even on external storage, is regularly backed up.
  2. Download and install a good security solution for your device that not only fix problems but detect viruses and malware quickly.
  3. Avoid downloading files and software from dubious and random sources.
  4. Do not download any apps or plugins from anywhere other than Google play store or a verified game store.
  5. Go for professional help if you are hit by a ransomware or malware do not pay the ransom or you may end up losing all you data.

So this was about WannaLocker, a new Ransomware spotted targeting Android users in China. Be safe and don’t fall in a trap for such free games, hacks, cheats or any plugin just like Kings of Glory in this case.

Erebus Linux Ransomware

Erebus Linux Ransomware Attacks South Korean Firm, Pays $1M Ransom!

Erebus Ransomware

The day of June 10 was not a very fortunate day for South Korean web hosting company NAYANA, which was attacked by ransomware named as Erebus ransomware. The attackers not only succeeded in hacking 150 of its Linux servers but also infected 3,400 of the business websites the company hosts. Eventually, the company lost a huge amount of its data to these hijackers. This is bigger than the WannaCry Ransomware attack which was trending last month!

Following these events, the attackers demanded 550 bitcoins worth US$ 1.62 million in order to decrypt the hacked files. According to Trend Micro, a Hosting firm Nayana, after seven days of negotiation, the company managed to settle a payment of 397.6 Bitcoins worth US$1.01 Million which was to be paid in three installments. The first two installments have been paid, but the company is unable to recover some of its data from the second batch as was expected by the web hosting company after the second installment. After the recovery of the first and second batch of data, the company will further proceed to pay the third.

Erebus Linux Ransomware

But this is just a little to what happened to Kansas Heart Hospital, which was hit by the same ransomware. The hospital was unable to access the encrypted files, even after paying the full ransom amount. The attackers are also demanding more extortion which the Hospital has refused to pay.

Linux Hosting Servers Hacked by Erebus

First, hit in 2016, the ransomware has emerged again in 2017. So far, what we know about the ransomware, Erebus, is that it uses a method that helps it circumvent Windows’ User Account control. Leveraging on local exploits, we can say that the ransomware is targeting on Linux vulnerabilities. Another thing to notice here is the ransomware is not widespread but targeted; highly concentrating over South Korea.

We also do know what types of files the Erebus ransomware is targeting. These can be office database, documents, archives, etc. Although Unix and Linux OS are just a minority in the market, they are remunerative for cyber criminals. And since they are used by many big and small companies, a single vulnerability may large affect the whole network.

The risks are always there and there is no guaranty of being completely safe. And that’s why the best way against such malware and ransomware is to have a great defense that runs deep into your systems.

Here are some tips and measures you should use to be safe against such attacks:

  1. Back you data
  2. Disabling third party or unverified sources
  3. Principle of least privilege
  4. Regularly checking your network security
  5. Regular security check
  6. IP filtering
  7. Applying good detection systems
  8. Network segmentation

These are just the basic things which might defend you against mighty Anti-Virus or Malware but it can’t be assured that it will prevent 100% from Ransomware. So read this guide to know how to prevent ransomware penetrating in your system and you can use free decryptor tools provided by Avast to remove ransomware if it’s already in your system.

 

WannaCry Cyber Attack

Confirmed: WannaCry Worm Linked to North Korea!

WannaCry Ransomware Attacks

Reports of a recent investigation from Britain’s Nation Cyber Security Centre (NCSC) suggests North Korea’s link to the WannaCry Malware. The Malware had its major impact on NHS and many other major organizations across the world in May. The links are to a North Korea based hacking group, known as Lazarus Group.

Although NCSC, working with GCHQ, the UK surveillance agency has not officially confirmed these reports, sources have told us about an international investigation carried out by NCSC that claimed North Korea’s link to the widespread ransomware, WannaCry.

National Security Agency has also led an investigation on the malware, linking it to North Korea.  Analysis of code and reverse engineering of code by some private cybersecurity companies have come down to the same conclusion on WannaCry attacks.

WannaCry Cyber Attack

WannaCry Ransomware Linked to North Korea

The North Korea based hacking team, Lazarus Group has also had a history of cyber-crimes that had their scope at a global level. These include WannaDecryptor v1.0 which was spread in a very similar way with similar code pattern and an aim of extortion money.

Another malware called Brambul is peculiarly related to Lazarus Group with same code overlapping and pattern of spread. Not only these but many more malware attacks and spread with similar codes and patterns are linked or attributed to the Hacking group which is too similar to be a coincidence.

Also, advance ransomware features used in the WannaCry 3.0 also suggest the whole wildfire of Malware as an unintentional mistake. But, North Korea’s crooked strategies and self-financing doubts that theory. South Korea had previously claimed Lazarus to be behind the huge cyber-attack which was also behind the Sony Entertainment hacking attack.

Encrypting more than a million user’s data, WannaCry spread like a worm across nations worldwide including hospitals and some major organizations. And with reports claiming North Korea to be behind this huge cyber-crime, the NCSC will have to find a solution before it’s too late.

Mac Ransomware

Mac Ransomware is Now Spreading Furiously, Over to You Mac Users!

Mac Ransomware Attacks

A warning is put out by Fortinet for Mac users at potential risks to malware attacks. The warnings are about a Ransomware-as-a-Service or RaaS that is targeting on Mac devices. Since the widespread WannaCry attack, Mac users have been safe to malware but the attackers and cyber criminals have taken this as a new opportunity as Mac devices are easier to access.

The Ransomware can attack the MacOS as software or an email from an unidentified source which will encrypt all the data on the system demanding extortion in the form of Bitcoins. Demands range from 700 dollars in exchange user’s data which may or may not be possible to decrypt. Jumping on to the next level, some attackers have also demanded shares and profits of the user’s company instead of usual extortion. As the Mac users don’t usually backup their data and install security updates regularly, malware attackers have been encircling the MacOS for RaaS.

From big companies to small business, the popularity of MacOS and its vulnerability to cyber-attacks makes it the target of ransomware attackers and cyber criminals to gain more money from company’s profits and shares. C-suite is used by a majority of marketing teams and professionals who share valuable and confidential information with less data security and encryption.

Mac Ransomware

And also, since the majority of users are Windows based, Mac users are often deceived into thinking that their system and files are safe which making their devices more appealing to Malware attackers. And this is the reason why the attackers are preying Mac users worldwide. Fortinet and other cyber security firms have appealed people, especially for Mac users to ensure that their devices are protected from all kinds of threats and malware.

Preventive Measures against Mac OS Ransomware

  1. Regularly backup your data

Apple devices are automatically and regularly backed up. So, if your device is attacked and data encrypted, you can easily wipe and restore the data

  1. Keep updating your device

With regular changes in networks, updating your system and security services will make your device safe from evolving malware attacks.

  1. Encrypt your data

Most of the devices are more vulnerable because the data is not encrypted.  Encryption of data on your device will make your data more secure.

  1. Secure your Device with Endpoint Security

Endpoint solutions are one of the best ways to protect your device and data from potential threats as they can they decrease the risk of any security threat from entering into the secure network.

  1. Check your Emails and Safeguard the Web

Emails are the major source of malware and ransomware threats but if you put up a good email security solution with good web security tools and cloud based security, your device will be more secure and you will easily be able to detect and respond to threats.

So these are few ways by which you can easily prevent ransomware getting into Mac OS. You can check out our decryptor tools which are 100% working for few of the Ransowmare released till date.

Protect from WannaCry Ransomware

Don’t Wanna Cry? Here’s How You Stop WannaCry Ransomware!

As far as WannaCry Ransomware is concerned, it has bypassed almost all antivirus security tools and crept into thousands of systems worldwide within a week. Are you one of them? If not, you might be at risk as well.

Protect Your System from WannaCry Ransomware

Many readers were asking me about “How to stop WannaCry Ransomware?” or “How to protect my system from WannaCry Ransomware?” So, on reader’s demand, I am going to show you a simple yet effective method to stop WannaCry Ransomware creeping into your system.

How to Prevent WannaCry Ransomware

Of course, the WannaCry Ransomware Patch has been released by Microsoft for unsupported windows systems but what if it still fails to detect the WannaCry? All you need to do is install the Cybereason’s RansomFree software in your windows operating system.  If you are hit by any other Ransomware excluding Cerber, you can check this list of Ransomware decryptors to remove it now!

Download Cybereason’s RansomFree on Windows

The only tool (as far as I know) capable of detecting and protecting from WannaCry Ransomware is Cybereason’s Ransom Free! All you need to do is follow the simple process below to download Cybereason RansomFree on your Windows operating system.

#1. Download Cybereason RansomFree from here.

#2. The software size is just 4.3MB, so the download process will be quick. Install it on your PC now! (follow the procedure given in below image)

#3. Once installed, leave the rest to Cybereason’s RansomFree!

In addition to this software, it is also recommended to upgrade your systems to Windows 10 Pro or Windows 10 Home if you are still using Windows XP or Windows 7 after this cyber attack.

how to download cybereason ransomfree

Image Source: ransomfree.cybereason.com

Ransom Free not only detects WannaCry but it also detects all types of Ransomware. Besides just detecting, it prevents the Ransomware creeping into your system. There are no options to change the settings or set up anything in the tool. Because there’s no need for manual setting to run this tool on your Windows PC. Here’s how it looks like after installing it on your PC. It’s static without any navigation menu, unlike other security tools.

Cybereason RansomFree

It works like a charm in the background every second and lets you know if there’s anything suspicious found by RansomFree via notifications. You can go through the links provided by Cybereason in RansomFree tool for more details. Here’s the proof of Cybereason RansomFree detecting WannaCry Ransomware and blocking it right away!

Here’s What CEO of Cybereason Said

“I believe this is the largest, in the effect it is having,” said Lior Div, chief executive of Cybereason, a Boston-based cyber security firm. Div joined a chorus of cyber security experts that traced the global ransomware shakedown to a powerful cyber weapon developed by an elite offensive unit of the NSA that was leaked into the open in mid-April. “There is no question about it,” Div said.

“We are taking unprecedented measures to help any company affected by WannaCry because we want to rid the world of ransomware and make it unprofitable for hackers. Ransomware is the biggest threat facing companies today and we’re excited to help even more companies eliminate ransomware,” adds Div.

Moreover, Cybereason pledged $50 million in FREE enterprise software to any victimized company by WannaCry Ransomware attack. By this, they will help any company impacted by WannaCry Ransomware attack by giving Cybereason’s software for free!

As per the reports, the local companies in Boston are safe as they were already using Cybereason before this cyber attack. And now it’s your turn to be safe! Download Cybereason Ransom Free on your PC and get protection from various Ransomwares.

My Opinion on Cybereason RansomFree

When you get an opportunity to protect your PC for free, you should grab it now! I am personally using it and I have never faced any security issues in my Windows 10 laptop till date. Cybereason RansomFree is the safest software to protect your PC from WannaCry Ransomware.

Share this with your loved ones so that they don’t fall into a trap of any Ransomware from now on! 

WannaCry 3.0 Ransomware

WannaCry 3.0 Ransomware Spreading Now, WCry 2.0 Was Just a Test?

WannaCry 3.0 Ransomware

[Updated on 17th May 2017]   Here’s the detailed guide on how to protect your system from WannaCry Ransomware in future.

WannaCry 3.0 Ransomware is now infecting systems worldwide. Reports suggest WannaCry links to Lazarus Group and the origin of attack was North Korea. Read this report now to find out more about WannaCry 3.0 and the similar codings (Contopee) of Lazarus Group. This group was responsible for the attack on Sony Pictures & a robbery of $81M on a Bangladeshi Bank in 2014!

Thanks to Marcus Hutchins who stopped the wave of WannaCry Ransomware by providing the decryption key! But is this going to be enough? Is this going to stop the cyber criminals from trying something new? NO! It’s not enough! WannaCry 3.0 is already on the roll and it seems like WannaCry 2.0 was just a test to know the working of latest version!

Camaeio founder, Matthieu Suchie has spotted the latest version of WannaCry Ransomware which was not spotted by Kaspersky Lap. This latest version was found from the newly infected system which was a “Kill Switch Version.”

Why Did WannaCry Had Kill Switch?

Many of you got in a misconception that the hackers might have failed to remove the Kill Switch from WannaCry Ransomware but that’s not true! It wasn’t an attacker conscience. It was just done to bypass the antivirus security tools installed in the system. As said earlier, the WannaCry 2.0 was just a test and the original version which is WannaCry 3.0 is already infecting the systems worldwide again!

WannaCry 3.0 Ransomware

Image Source: unwire.hk

“This level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organization and control at all stages of operation. That’s why we thing that Lazarus is not just another advanced persistent threat actor,” said Kaspersky. They also found that the cyber attacks were originating from North Korean IP addresses. Here’s the detail about the linking of Lazarus Group & WannaCry.

Matthieu Suchie reported (on 15th May 2017) that WannaCry Ransomware links to Lazarus Group. It was observed that the coding of WannaCry and Contopee were quite similar. It might not be wrong to say that the Lazarus Group is somewhere involved in developing the WannaCry Ransomware. Here’s the proof in the image below by Matthieu Suchie indicating the link between Lazarus Group & WannaCry. This similarity was first found by Neel Mehta, a Google Security Researcher.

WannaCry 3.0

Experts also say that, “Just because the coding of both the cyber attacks are similar doesn’t mean that a particular group is involved in it. It might be another group that is using the Lazarus Group’s code to confuse the experts and hide their identity. In the recent version of WannaCry the code doesn’t appear anymore according to Kaspersky’s latest blog post.

Recommended Read: Latest Ransomware Decryptor Tools of 2017

Customer Guidance for WannaCry Attack by Ransomware

You simply can’t blame Microsoft for the attack. It’s your responsibility to update the systems to the latest Microsoft Windows version to stay away from such attacks. In an email received by Microsoft, they have clearly mentioned that if you have turned on the automatic updates of Windows Defender and installed the security update released by them in March are not affected by this WannaCry Ransomware attack. Here’s what they sent in an email, have a glimpse at it.

Customer Guidance for WannaCry Attack by Microsoft

Though the security updates by Microsoft might have installed, there might be chances of Ransomware encrypting in your system if you don’t activate the Windows Defender. So ensure that you update the security installations time to time and also upgrade to Windows 10 Home or Windows 10 Pro now! Here’s the detailed guide written by Microsoft.

They will also be conducting a webinar to create awareness among the people who are still not aware about the WannaCry Ransomware attack. And this webinar will be useful for those who have plenty of queries regarding their systems, upgradation, WannaCry Ransomware and lots more. In an email received by Microsoft, they said ” You may want to join the Webinar on Wannacry Attack Q&A, 22nd May, 11am, Join here. Email: Please write to us atindiasms@microsoft.com. Our team will respond to you on priority.”

Should YOU Be Worried About WannaCry 3.0?

There’s no Kill Switch’s perfect version of WannaCry Ransomware available says Costin Raiu, the Director of Global Research & Analysis Team of Kaspersky Lab. Matthieu Suiche said that WannaCry 3.0 version is just a part of the operation which is not lethal and it doesn’t have any security threat. So does this indicate that you are safe from WannaCry 3.0? Most probably Yes and No both! But ensure that you are aware of Cerber Ransomware which is the most dangerous one in all the Ransomware family.

As of now, there’s nothing much to worry about this latest WannaCry Ransomware but it doesn’t take much time turn the cards around. So it is advised to be safe by installing the latest patches of WannaCry Ransomware.  Meanwhile, you can keep a track on real time WannaCry Ransomware infected systems worldwide. This will give you enough idea if there’s a sudden increase in infected systems. In short, if something like that happens, the WannaCry 3.0 wave is all set to start again! So beware and be safe! Stay tuned to ransomware news for more information on WannaCry Ransomware!

WannaCry Cyber Attack

WannaCry Ransomware Hits 200,00+ Systems in More Than 99 Countries! [Updated]

Updated on 17th may: I have written a detailed guide on how to stop WannaCry Ransomware creeping into your system in the future. The solution has already been out. The decryption key is already out. Stay tuned for more update on this. The recent update on WannaCry 3.0 Ransomware (released on 16th May 2017) is making it even dangerous.

Decrypt code : WNcry@2ol7

What is WannaCry Ransomware

The fact cannot be denied that cyber attacks in 2017 have been increasing and the hackers have left no stone unturned with the help of Ransomware. Cyber-security firm Avast said it had seen 75,000 200,000+ computer cases of the ransomware – known as WannaCry Ransomware and variants of that name. “This is huge,” said Jakub Kroustek at Avast. The main target seems to be NHS and other Government sectors. This is not the first time that government systems have been taken down, but this time, it seems like an international target with no mercy on anyone!

WannaCry Ransomware locks your systems and asks for a ransom amount which is almost ($300) in bitcoin CryptoCurrency. Ransomware attacks have been on the rise and have become a trend for hackers to steal the money in the form of bitcoins. The hackers known as The Shadow Brokers have been claimed to be the reason behind this massive cyber attack.

WannaCry Cyber Attack

How Did This Happen?

Many believe that the weakness exploited by NSA in Microsoft Systems is the reason for the attack. Moreover, the NSA tools were stolen by The Shadow Brokers, the hackers behind this massive cyber attack! The patch for this vulnerability was released by Microsoft in March but not many have updated their system. And it seems like the systems who have not updated MS 17-010 in their systems have been targetted. 

In reply to various questions raised by security researchers & victims, Microsoft said that the engineers had added the detection feature and protection firewall for WannaCry Ransomware. But is this enough to stop this massive cyber attack which is flowing like a flood? Well, we will keep you updating about how to remove WannaCry Ransomware and will give the WannaCry Decryptor if it’s made available by any security expert. If you are still unaware of the fact that how does WannaCry enter in your system, let’s find it out now!

How Does WannaCry Ransomware Work?

Unlike, other Ransomware, which spreads through Ransomware-as-a-service, phishing attacks, email spams, Netflix generators or through an Android App, WannaCry works in a different way and it’s unstoppable at the moment.

WannaCry Ransomware spreads like a worm from one system to another. Once it’s inside an organization or a network, it will take down all the systems within a matter of seconds! This is the reason why so many systems around the world had infected within no time. A perfect example of how it spreads in a loop is posted here. It shows the WannaCry Ransomware spreading fastly in a university lab in Italy. Here’s how it looks like!

WannaCry Ransomware

So this is how the WannaCrypt0r 2.0 Ransomware spreads in a particular network and it’s unstoppable at the moment. But a UK-based security researcher said that he has managed to find a temporary solution to hold this virus.

He added that this is not a permanent fix but it’s just temporary and can be useless if the cyber criminals manage to skip this security loophole. “So long as the domain isn’t removed, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again,” he tweeted.

Find out Where WannaCry is Spreading!

The heat map (below image) from Malware Tech team clearly indicates that the attack is more in Russian countries along with China, Taiwan, USA, UK, India, Spain, Italy and much more as shown below.

WannaCrypt0r 2.0 Ransomware HeatMap

As far as WannaCry Ransomware removal is concerned, the only way as of now is to backup your data, install an antivirus (at least trial version) or install Microsoft’s MS 17-010 from here. Though this is not a perfect solution to prevent WannaCry or to remove it, there are chances that you may survive with these solutions. Stay tuned to our ransomware category for the latest news & updates on cyber attacks happening worldwide!

Cerber 6

Cerber 6 Ransomware: Toughest One to Detect & Remove? Know More!

Cerber 6 Ransomware

Cerber Ransomware has taken the cyber world by storm by taking over 87% share in terms of cyber attacks via Ransomware in 1st Quarter of 2017. As if this wasn’t enough for the cyber-criminals, Cerber 6 is slowly taking its shape to rule the cyber world as per Trend Micro.

The ransomware is spread smartly via Spam Emails which includes a malicious JavaScript File. Once the user downloads the file, it executes the payload which runs Cerber 6 Ransowmare right after 2 minutes in the background. At times, it can also run embedded PowerShell script. Here’s how it looks like:

Cerber 6

Credits: TrendLabs Security Blog

As of now, there’s no word on the decryption of Cerber 6 ransomware. But if you are the victim of any other ransomware released previously, you can check out these ransomware decryptor tools listed by us.

It’s not only personal computers (at home or office) but we have also observed that sectors like healthcare, government offices, transport industries, hotels and many more got affected due to various Ransomware in 2017. According to Trend Labs blog post, it is estimated that cybercriminals have earned over $2 Million via Ransomware-as-a-service in just commissions (40%) in a month (2016 4th quarter). United States is on top (84%) for being hit by Cerber Ransomware followed by Japan, Taiwan, Australia & China.

Cerber 6 Ransomware

Can Cerber 6 Ransomware be Removed?

No! There are no Cerber removal tools available for Cerber 2, 3, 4, 5 & 6. The only tool available is for Cerber V1. However, you can check out the tools provided by Avast in case if your system is hit by any other Ransomware. The advancement in technology has made Cerber ransomware so tough to detect that a normal user can be easily bluffed. Getting an anti-virus protection isn’t enough these days!

The Cerber Ransomware keeps on updating on regular basis making it difficult for the security experts to find a proper solution for all Cerber Ransomware versions. “While Cerber’s distribution methods remain consistent, we’ve seen newer variants delivered as self-extracting archives (SFX package) containing malicious Visual Basic Script (.VBS) and Dynamic-link library (.DLL) files that execute a rather intricate attack chain compared to other versions. While these Cerber-carrying SFX packages aren’t prevalent in the wild right now, it’s one of the signs of things to come for Cerber,” says Trend Labs report in its blog.

Cerber v1, v2 and v3 Cerber v4 Cerber v5 Cerber SFX Cerber v6
File Type EXE EXE EXE SFX (Loader) VBS, DLL EXE
Exceptions (Cerber doesn’t execute if it detects certain components in the system) Language in v1 and v3*

 

Language and antivirus (AV) for v2*

Language* Language* AV, VM, Sandbox (Loader*), and Language* Language*
Anti-AV Routine None None None None EXE files of AV, Firewall and Antispyware products set to be blocked by Windows firewall rules*
Anti-sandbox None None None VM and Sandbox (Loader*) VM and Sandbox (Loader*)
Backup Deletion Yes (vsadmin, WMIC, BCDEdit)* Yes (WMIC)* Yes (WMIC)*

 

Removed in v5.02

 Varies (some samples have backup deletion capabilities) Varies (some samples have backup deletion capabilities)
Exclusion List 
(directories and file types Cerber doesn’t encrypt)
Folder and file* Folder and file* Folder and file*; and AV, Antispyware, and Firewall directories Folder and file*; and AV, Antispyware, and Firewall directories Folder and file*

 

The table above prepared by Trend Micro showcases the evolution of Cerber Ransomware over the times. It doesn’t matter how many new Ransomware come and go, Cerber is surely going to rule the market due to its highly sophisticated source code. Exclusive features like Anti-Sandboxing and Anti-VM in recently released Cerber 6 Ransomware makes it ever stronger to detect and stop installing on your computers & laptops.

Security researchers suggest that it’s not only PC or laptop users, there’s a lot of danger for smartphone users as well because of few apps found on Google Play spreading Ransomware. In 2017, it’s gonna be Cerber everywhere if this continues to be the same until final quarter of this year.

bart decryption tool

Bart Ransomware Decryption Tool Released by Bitdefender

Bitdefender, a leading antivirus solution provider, has just released a bart ransomware decryption tool. Earlier, they acquired necessary decryption keys from Romanian police to create an bart decryptor tool for all the version. The Romanian police acquired those keys during their investigation and they are handed over to Bitdefender so they can help everyone affected with the bart ransomware. The sigh of relief for affected users come this early morning when the antivirus giant released a free decryption tool in the wild.

bart decryption tool

As a consequences, all the users affected with any version of bart ransomware can decrypt their files without any hassle. Bart was using AES encryption which is different from many of RSA encryption system. It doesn’t need active internet connection to send key to the server. It can encrypt the files without internet connection. It was first appeared back in June 2016. It is believed to be same as locky and Locky creators are suspected of spreading this ransomware as well.

Bart was notorious and was archiving all the files in zip format applying AES encryption. The files are locked with .bart.zip, .bart and .perl extensions. It was targeting business and was quite famous back in 2016 along with its counterpart Locky. In 2017, Cerber has replaced them and security researchers are yet to provide any solution for this ransomware. In case, if you are keen, you can go through all the ransomware decryptor tools covered by us. Bart ransomware decryption tool is available for download. You can easily decrypt all the files encrypted by bart ransomware (all versions) using the tool

Download Bart Decryption Tool

Bart decryption tool is available for free from the Bitdefender website. Make sure you have backup of all your files. The bart ransomware decryption process can take some time. Hence, it is recommended that you keep patience. It is also advised that you do not interfere the process in between. Proceed with bart decryption tool download from the below link

Download Bart Decryptor

Bart deletes system restore points making it impossible to easily restore the system. The only option is left is to use decryption key. Bitdefender has integrate the decryption key in form of tool. The same is available on their website as well as no more ransomware website as well. It will be added our decryptor tools section as well.

Our request is to never pay ransom to these cyber criminals. It encourages them to spread the ransomware. Funding them is a bad business decision. In case of any query, you can leave a comment below.

ODIN Decrypt

ODIN Removal Tool: Ransomware ODIN Decrypt Working TOOL!

ODIN Ransomware / Virus

Have you heard of the name ransomware? I know you heard of malware, spyware and adware too. But ransomware may be a new thing to you. In this article, you are going to get everything about ODIN ransomware. Before we get into it, I want to give you an overview of ransomware.

Unlike traditional malware, ransomware doesn’t make your computer act weirdly out of the blue. Once it gets into your system, it encrypts almost all your files into a special type. You need a private key to decrypt the files back. The developer keeps the key in a remote and anonymous server.

They demand some ransom to decrypt the files. Most of the ransomware demands money in the form of bitcoins. You will also get a deadline beyond which no one can retrieve your data. The same goes with Cerber 4.1.6 Ransomware as well.

Update (24-03-2017): Cerber ransomware decryptor is no longer working. To get more update please check exhaustive list of ransomware decryptor tools available so far.

ODIN Removal Tool: Ransomware ODIN Decryptor

I have divided this article into different sections for the reading convenience. You can find the removal and decryption methods on the bottom.

First, let us move on to what ODIN ransomware is.

ODIN Ransomware

What is ODIN Ransomware?

ODIN is the latest version of the locky ransomware that encrypts your data and demands money for decryption. The previous versions appended .zepto or .locky extension to files. But here, ODIN adds .odin extension. No one can open such files without proper private key.

The ODIN virus uses a combination of AES and RSA encryption. For the same reason, you can’t unlock it easily. Even with brute force attempts, you will take hundreds of years for successful decryption.

Once it gets into a system, the ransomware affects a system process, rundll32.exe. As it integrates itself to a system file, ordinary antimalware software fails to detect them.

When the ransomware is executed, it will scan all your drives and cloud storage services. Developers specify the types of files it encrypts into the algorithm. On finding such types of files, it will encrypt them and create two keys; both public and private.

The private key is stored in a remote server owned by the developers themselves. They will ask you for a ransom (3 bitcoins or about $1900) to decrypt the files. The ransom amount is higher than that of other ransomware.

The naming system of ODIN ransomware has a special pattern. Whenever it finds a file to encrypt, it changes the name in the format of {user id}-{4 characters}-{12 characters}.odin. Suppose you have a file named Work.doc, it will change the name to RHDY5DH7-GT6D-D56F-76GT-T6H3BP4O0G86.odin.

.ODIN Virus

The developers of ODIN virus are professionals in the field of coding and hacking. So, they will never leave even a distant clue that leads to the private key.

The ransomware creates three files in every directory that contains at least one encrypted file. They are “_5_HOWDO_text.html”, “_HOWDO_text.bmp”, and “_HOWDO_text.html”. The second one is an image file, which you will see as your desktop wallpaper. All these three files contain the same ransom demanding message.

For your information, I am leaving such a message generated by an ODIN ransomware below.

“d=*-|==** __$$|$

.+.|.

|.=_=$-*$|-$|=|++-|+

!!! IMPORTANT INFORMATION!!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.

More information about the RSA and AES can be found here:

hxxp://en.wikipedia.org/wiki/RSA (cryptosystem)

hxxp://en.wikipedia.org/wiki/Advanced Encryption Standard

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.

To receive your private key follow one of the links:

hxxps://jhomitevd2abj3fk.tor2web.org/D56F3331E80D9E17

hxxp://jhomitevd2abj3fk.onion.to/D56F3331E80D9E17

If all of this addresses are not available, follow these steps:

  1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
  2. After a successful installation, run the browser and wait for initialisation.
  3. Type in the address bar: jhomitevd2abj3fk.onion/D56F3331E80D9E17
  4. Follow the instructions on the site.

!!! Your personal identification ID: D56F3331E80D9E17 !!!

=+_$ =** +.+

+=*_$.*.=_

=__|+-$|+*.=*$

=-.$”

You can see the payment information on the website given in the message. But security professionals recommend you shouldn’t pay the money they demand because there is no guarantee that they will decrypt the files once they receive the payment.

ODIN Decrypt

How does ODIN Get into My System?

Ransomware developers use multiple methods to get into your system. Nonetheless, email attachments remain to be their favourite option since long.

They send you an email regarding an eCommerce delivery or a payment. In the case of eCommerce delivery, the email reads they have tried to deliver you a package but it failed and, you have to ensure whether your details are correct or not by checking the attachment.

The payment related mail tells the same story that they tried to send you a payment of a big amount and it returned. In order to get it, you have to check your payment details. In this case also, you will get an attachment.

Almost 80% of the people open the attachment. Mostly, it is a zipped file with a document inside. You will consider it as a harmless file because you may have the conservative thought they only executable files contain malware. On contrary to this, it will execute a macro when you open the file. As a result, it will affect rundll32.exe and keep on encrypting all your important files without any hindrance.

Sometimes, ODIN ransomware attacks your system from freeware and cracks as well. I recommend you should leave the crack downloading habit. Most of them come with a malware pre-attached.

Yet another method is software updaters. There are tons of fake software updater with ODIN virus. On installing the same, you unconsciously run the ransomware itself.

Types of Files Affected by ODIN

We all are aware of the unlimited file types available today. When it comes to images, there are JPG, PNG, BMP, GIF and more. Same is the case with audio, video, documents and others as well.

Literally, ODIN ransomware affect every files no matter what it extension is. If you want to get the definite list of file extensions, which are usually affected by ODIN, you must check the list given below.

.0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf, .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, .wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm, .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, .zif, .zip, .zw

ODIN Removal Tool

I have got multiple methods to remove ODIN extension and ransomware. So here you go finally!

ODIN Removal Tool

Method 1: Using Malwarebyte’s Anti-malware

Step 1: You have to download the software first. It is recommended to have an internet connection with decent speed.

Step 2: Once you finish downloading it, open the executable installer file. Just follow the on-screen instructions to finish the process.

Step 3: Don’t forget to open the software on finishing the installation. You can see a Scan now button on the bottom of the interface. Simply, press on it.

Step 4: The duration of the scan solely depends on the amount of data you have in your computer. It will present a list of malware infections before you after finishing the scan.

Step 5: Select all (recommended) and hit on Remove selected.

In order to see the changes in effect, choose Yes on the restart prompt.

Method 2: Using Hitman Pro

Step 1: Download Hitman Pro using this link and install the software.

Step 2: Installation isn’t a mammoth task as you have to follow the on-screen instructions. That’s all. When it finishes, Hitman Pro will start scanning your computer.

Step 3: As I said earlier, the duration depends on the amount of data. Once the scanning completes, you will see the malicious items as the result. Choose the action you want to take for each risk and, press Next.

Step 4: Activate the free license for 30 days and, remove the malicious files.

Maybe, you have to remove those three files created by ODIN. Don’t forget to change the wallpaper as well.

Method 3: Remove ODIN from Registry

In order to run the ransomware every time, it will create a bunch of registry keys. You will read how to remove them here.

Step 1: Press Win key+ R to get the run dialogue box.

Step 2: Enter regedit into it. You will see the registry editor on the screen.

Step 3: You should follow the paths given below and remove the keys related to ODIN.

  • HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Run
  • HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \RunOnceEx
  • HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \RunOnce
  • HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \RunServicesOnce
  • HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \RunServices
  • HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Run
  • HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Policies \Explorer \Run
  • HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \RunServices
  • HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Explorer \Run
  • HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Runonce
  • HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce

Method 4: Kill ODIN Related Processes

Here, we seek the help of the task manager to kill the processes related to ODIN.

Step 1: Press Ctrl+ Shift+ Esc to launch Task Manager.

Step 2: You will get multiple tabs. Go to Details.

Step 3: Check for ODIN related tasks there. Just kill them right after you detect them. Follow right-click >> End task >> End now for that.

ODIN Decrypt Files

How to Decrypt ODIN Infected Files

Though there are no proven methods that retrieve ODIN infected files completely, you can try out some.

Method 1: Using Shadow Explorer

Step 1: You have to download Shadow Explorer first. Use the link given below for that.

Download Shadow Explorer

Step 2: What you get is the executable installer file. So, just open the same to install the software. Installation can be done simply by following the instructions on the screen.

Step 3: Once you finish installing it, open the interface.

You should select the drive first and then, the date. What this software does is reinstating your files into the state as it was on the given date. So, you must choose the date before the ODIN invasion occurred.

Choose the file or folder from the main area of interface on the right side and right-click on it. Finally, go with Export and, browse to the destination into which the earlier version is saved.

You can also use system’s own restore tools to do the same as well.

Conclusion of ODIN Ransomware Removal Tool & Decryptor

The ransomware gets stronger and stronger every day. So, you can’t always rescue your system from its clutches.

Means prevention is better than cure. You shouldn’t open email attachments from strange IDs. Moreover, don’t ever try to download cracks and patches, especially from P2P networks.

I hope you got what I am talking about.

In case you have any doubt about ODIN ransomware, feel free to reach out to me with it using the comment section down below.