What is Mobef-Salam ransomware? And how does it execute its attack?
Mobef-Salam ransomware is a crypto-virus designed to encode valuable files in an infected system with the help of sophisticated encryption algorithms. According to the analysis done by security experts, it seems that Mobef-Salam ransomware mainly targets users from Italy. This ransomware Trojan is a new version of the Mobef ransomware and it is evident that this new version is upgraded and an even better one compared to its predecessor.
According to security researchers, Mobef-Salam ransomware targets various kinds of files which could be:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa.wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .mkv, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .rar, .zip, .7zip, .jpg, .jpeg, .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd
Once it is able to get a hold of any of the aforementioned file types, Mobef-Salam ransomware will start to encrypt them using a combination of different encryption algorithms, namely, AES, RSA and DES. After data encryption, victims won’t be able to access the affected files and they will see a ransom message demanding them to pay a ransom instead. The crypto malware’s ransom note reads:
“APPID: XXX
COMPUTER: XXX
LOGIN: XXX
*******
salam. haha sorry i kript ur filez. they are safe, so no needs w0rring. but u cant break my l33t cipher, if u wanna back filez email me quick 0k? you pay me bitcoins …
[email protected]
byezzzzz
c: \ windows \ 2xxxxx.log”
How does Mobef-Salam ransomware distribute its malicious file(s)?
Mobef-Salam ransomware uses the most common distribution method for ransomware threats which is through spam emails. Spam emails sent out by the developers of this crypto-malware are full of grammatical errors so you should be cautious of these kinds of emails especially if it’s telling you to download its attachment which turns out to be corrupted. The infected attachment may be a document with macro scripts used in executing Mobef-Salam ransomware into the system. You should always update your both your antivirus program and system with their latest updates to increase your system’s protection against the likes of Mobef-Salam ransomware.
Use the removal guide below as a reference for you to eliminate Mobef-Salam ransomware from your system as well as recover all your encrypted files.
Step 1: Close the program window containing the ransom note.
Step 2: Open the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step 3: Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to Mobef-Salam ransomware.
Step 4: After that, close the Task Manager.
Step 5: Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 6: Under the list of installed programs, look for Mobef-Salam ransomware or anything similar and then uninstall it.
Step 7: Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step 8: Navigate to the following locations below and look for Mobef-Salam ransomware’s malicious files and then delete all of them.
- %TEMP%
- %APPDATA%
- %APPDATA%\Microsoft\Windows\Templates\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 9: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 10: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 11: Navigate to the following path:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 12: Delete the registry keys and sub-keys created by Mobef-Salam ransomware.
Step 13: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Mobef-Salam Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Mobef-Salam ransomware hasn’t deleted the Mobef-Salam copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that Mobef-Salam ransomware is completely removed using the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS sreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.