Clicky

What is Allcry ransomware? And how does it execute its attack?

Allcry ransomware is another newly developed file encoder Trojan which was discovered on October 02, 2017. The Allcry ransomware is observed to be targeting computer users in Eastern Asia such as Japan, South Korea, China and India being its primary targets. This file-encrypting Trojan is reported to run on latest versions of Windows and modify the encrypted files to that of an executable application.
According to security experts, Allcry ransomware infiltrates computers using malicious spam email messages which are responsible for installing Allcry ransomware on the affected computers. It is programmed to encrypt files with the help of a custom AES encryption algorithm. It then appends the .allcry extension on the targeted data with the thumbnails in Windows Explorer reflecting the modifications. Once it is done with the encryption, Allcry rasnomware creates a file named readme.txt which is opened on Notepad containing the message below:
“Some files have been encrypted
Please send 0.2 bitcoins to my wallet address
If you paid, send the machine code to my email
I will give you program to decryper
If there is no payment within seven days,
we will no longer support decryption
Email: [email protected]
Btc wallet: [RANDOM CHARACTERS]”
Aside from the Notepad application, the ransomware also opens a program window named Allcry crypter which also contains the ransom note. Based on the lab tests, Allcry ransomware includes information in three different languages such as English, Korean and Chinese.
On its ransom note, the ransomware demands a total of 0.2 Bitcoins which is approximately $892. The perpetrators stated that negotiations are possible via emails sent to the email address they’ve provided. However, contacting these crooks wouldn’t be a wise move as they might only increase the ransom amount, not to mention that they can’t be trusted. The best way to deal with this is to opt for an alternative way to recover your encrypted files. Such alternative way will be discussed right after you perform the Allcry ransomware removal instructions.

How does Allcry ransomware spread its malicious files?

Allcry ransomware spreads its malicious infection using the good old spam email campaigns which contains macro-enabled document. Once you download and open this document, it launches a command that connects it to the ransomware’s remote server. After that, it drops Allcry ransomware into your system to start its attack. Since malicious spam email campaigns are rampant, you have to make sure that your system is well-protected from these attacks by updating them as well as your antivirus program.
 
Eliminate Allcry ransomware by following the set of removal instructions below as well as the recovery option for the encrypted files.
Step 1: Tap Ctrl + Shift + Esc to open the Task Manger.

Step 2: Once you’ve opened the Task Manager, go to the Processes tab and look for Allcry’ processes which is Allcry.exe and then end it.

Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step 4: Look for Allcry ransomware or any suspicious program and then Uninstall it/them.

Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Navigate to the following locations below and look for Allcry ransomware’s malicious components such as readme.txt and the macro-enabled document it came with and then delete all of them.

  • %TEMP%
  • %APPDATA%
  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop

Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 9: Navigate to the following paths:

  • HKCU\Software\Classes\.PNR
  • HKCU\Software\Classes\Allcry

Step 10: Delete the registry keys and sub-keys created by Allcry ransomware.
 
Step 11: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Allcry ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

To make sure that nothing is left behind and that the Allcry is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

  1. Turn on your computer. If it’s already on, you have to reboot
  2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

  1. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
  2. Windows will now load the Safe Mode with Networking.
  3. Press and hold both R key and Windows key.

  1. If done correctly, the Windows Run Box will show up.
  2. Type in explorer http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between explorer and http. Click OK.

  1. A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.

  1. Click OK to launch it.
  2. Run SpyRemover Pro and perform a full system scan.

  1. After all the infections are identified, click REMOVE ALL.

  1. Register the program to protect your computer from future threats.

 

logo main menu

Copyright © 2024, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: FixMyPcFree.com is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only.

DMCA.com Protection Status

Log in with your credentials

Forgot your details?