How Dangerous is ‘[email protected]’ Ransomware?
Since past few years, EDA2 project is being used as an open source ransomware platform. Recently, ‘[email protected]’ Ransomware is released and it’s code is based on the same project. We have to clear one thing – EDA2 project was uploaded on the web for educational purposes initially. However, just like HiddenTear Project, this new project is also being used for deploying ransomware-type viruses. ‘[email protected]’ Ransomware apparently being offered to cyber extortionist as RaaS (Ransomware as a Service). It allows con artists and cyber criminals to create ransomware campaigns in order to collect ransom from victims. Distribution of ‘[email protected]’ Ransomware is quite simple, third party uses a botnet to spread the ransomware droppers along with a packager. When targeted computer user execute ransomware dropper file, their computer gets injected with malicious codes of the ransomware.
This RaaS offers following features to con artists:
- -Add-on – Code Macro Microsoft Office (Word, Excel) – $30
- -Add-on – Code Update Virus Program – $49
- -Source Code Decrypter Ransomware – $95
- -Support (Setup C&C, SMTP Server,…) – $99
- -Setup .Onion & Gateway (Bitcoin, PM) – $149
- -Source Code Botnet – $190
- -Code Macro Microsoft Office (Word, Excel) – $30
- -Code Update Virus Program – $49
- -Support 1 year (Setup C&C, SMTP, Domain) – $99
- -The Premium Plan for the ‘Source Code’ Ransomware Costs Nearly $650
What should you do when computer is infected with ‘[email protected]’ Ransomware?
First, you should note that ‘[email protected]’ Ransomware enciphers your files and demands ransom while keeping your important files from most commonly used data containers. Enciphered files become totally inaccessible and corrupted, though either you can get back your files using decryption that you need to purchase from ransomware attackers or you can use “System Restore”/ “Data Recover Software” in order to decode your files. But first you need to remove ‘[email protected]’ Ransomware completely from your computer, you should make use of following guideline:
Steps to Uninstall ‘[email protected]’ from PC
Procedure 1: Reboot Your PC in Safe Mode
How To Start Computer in Safe Mode with Networking (Win XP/Vista/7)
- Please restart your system. Just before the Windows start, continuously press F8 on your keyboard. Now, you will be presented with Advanced Options Menu.
- Select Safe Mode with Networking from the selection options. Please use the keyboard’s arrow up or down to navigate between selections and then hit Enter to proceed.
Method To Start Win 8 in Safe Mode with Networking
- Restart your PC and as soon as it begins to start, kindly please press Shift+F8 keys.
- Instead of seeing the Advance Boot Options, Win 8 will display the Recovery Mode. So, continue with the given instructions until you reach the Safe Mode function.
- Tap on ‘See advanced repair options’.
- Then after, click on Troubleshoot.
- Next, select Advanced options.
- On the next window, choose Windows Startup Settings.
- At last, click on the Restart button. Now, Windows 8 will restart and boot into the Advanced Boot Option wherein you can run the computer in Safe Mode with Networking.
ShadowExplorer can be really helpful in restoring your file encrypted by ‘[email protected]’
When ‘[email protected]’ attacks it generally tries to delete all shadows copies which is stored in your computer. But there are chances that ‘[email protected]’ is not able to delete the shadow copies everytime. So you need to restore the original files using shadow copies.
Follow these simple steps to restore original files through shadowexplorer
- you need to download shadowexplorer link from http://www.shadowexplorer.com/downloads.html
- Install it on your system
- Now you need to open shadowexplorer and select c: drive on left panel
- Now choose at least one month ago date from date field.
- Now you need to go to the folder which have encrypted filed.
- Now right click the encrypted files
- You need to export the original files and choose a destination to store them.
System restore can be another method to restore your encrypted files
1. Open start >> All Programs >> Accessories >> System tools >> System Restore
2. Click next to go to restore window
3. See what restore points are available for you , choose a restore point at least 20 to 30 days back.
4. Once selecting click next
5. Choose disk c: (it must be selected by default)
6. Now click next and system restore will start working and will be able to finish in few minutes.
Another method for recovering your decrypted files are file recovery software
If above methods are not successful you can go for file recovery software. It can be helpful in recovering your encrypted files as ‘[email protected]’ first makes a copy of original files and then encrypt it. After encryption it deletes the original files. So there is high probability that these file recovery software can help you in recovering your original files. You can find links to some best file recovery software below.
1. Recuva : you can download from http://www.piriform.com/recuva/download
2. Testdisk: you can download from http://www.cgsecurity.org/wiki/TestDisk_Download
3. Undelete360: you can get it from http://www.undelete360.com/
4. Pandora Recovery: you can download from http://www.pandorarecovery.com/
5. Minitool partition recovery: you can get it from http://www.minitool.ca/