What is Arena ransomware? And how does it execute its attack?
Arena ransomware is a new file-encrypting virus designed to take over a compromised computer to encrypt files. According to researchers, this ransomware seems to be a variant of the Dharma ransomware family which already has a number of variants that carry out similar attacks. Arena ransomware was first spotted in the last week of August 2017 and has similarities with other Dharma ransomware variants.
After it successfully infects your computer, it connects to its Command and Control server to deliver information about the infected PC and then in return, it receives necessary data to carry out the encryption process. Before the encryption, it scans the computer for important files with different file types such as photos, music, videos, databases, texts, configuration files, archives, spreadsheets and a whole lot more and then encrypts them using a combination of AES and RSA encryption algorithms. All the targeted files are marked with [[email protected]].arena extension which is added at the end of each file’s names. Once it is done with the encryption, it delivers a ransom note which is contained in a text file named FILES ENCRYPTED.txt and places it on the desktop. The ransom note reads as follows:
“all your data has been locked us
You want to return?
write email [email protected]”
Aside from encrypting your files, the Arena ransomware also target alternative recovery methods such as the Shadow Volume Copies and the System Recovery. Without the Shadow Volume Copies of the files, it would be hard to restore them, making their recovery next to impossible without a decryptor. However, malware researchers strongly advise you against paying these crooks the ransom to decrypt your files. It would be stupid move considering the fact that there is no guarantee that paying them would get you your files back. The best option would be is to use your files’ backup copies, if you even have them or better yet, wait until a decryptor is developed by malware researchers.
It’s pretty clear that the best protection against threats like the Arena ransomware is to have file backups. If you have backup copies of your files stored in an external memory device, then the crooks behind this malware won’t have any leverage against you so you won’t be pressured or forced into paying the ransom and that all you have to do is to eliminate the threat from your computer.
How does Arena ransomware spread its infection?
Arena ransomware, just like other Dharma ransomware variants, spreads its infection through spam emails. These spam emails contain infected attachments which may be Microsoft Word documents that have corrupted macro scripts in them. These kinds of documents use social engineering techniques to trick users into believing that it’s a reputable sender, deceiving the victims into downloading and opening the infected file or clicking on embedded link sent the email. To avoid such occurrences, make sure that you check the sender’s credibility first. But more than that, deleting the suspicious email as soon as you see it would be the best choice. It also wouldn’t hurt if you update your system and antivirus as soon as latest updates are available to strengthen your protection against threats like Arena ransomware.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the Arena Ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Look for Arena ransomware or any malicious program and then Uninstall it.
Step 3: Hold down Windows + E keys simultaneously to open File Explorer.
Step 4: Go to the directories listed below and then look for the corrupted files such as its ransom note, FILES ENCRYPTED.txt created by the malware.
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Arena ransomware created. So if you are not familiar with the Windows Registry skip to Step 9 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 5.
Step 5: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 6: Navigate to the following path:
Step 7: Delete any suspicious registry value.
Step 8: Close the Registry Editor.
Step 9: Empty the Recycle Bin.
Follow the continued advanced steps below to ensure the removal of the Arena ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.