What is Sexy ransomware? And how does it carry out its attack?
Sexy ransomware is the latest ransomware variant of the infamous GlobeImposter ransomware. Just like GlobeImposter, this new variant is designed to encrypt data on the infected device. This variant was first released on the month of November this year. Although its name is “Sexy”, there is nothing sexy or attractive about this crypto-malware – it only got its name as it marks the encrypted files with the .sexy extension on each of the files it encrypts. According to researchers, it encrypts files which have the following extensions:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip
It encrypts files with these extensions using AES 256 cryptography and marks them with the .sexy extension. Shortly after that, Sexy ransomware drops an html file named how_to_back_files.html which is placed on the computer’s desktop. The html file contains the ransom note which reads as follows:
“YOUR FILES ARE ENCRYPTED!
TO DECRYPT, FOLLOW THE INSTRUCTIONS BELOW.
To recover data you need decryptor.
To get the decryptor you should:
Send 1 crypted test image or text file or document to [email protected] (Or alternative mail [email protected])
In the letter include your personal ID (look at the beginning of this document).
We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and
instructions We can decrypt one file in quality the evidence that we have the decoder.
Only [email protected] can decrypt your files
Do not trust anyone besides [email protected]
Antivirus programs can delete this document and you can not contact us later.
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data because each user’s unique encryption key”
According to the ransom note, victims are asked to send one encrypted file to [email protected] email address to determine the price for decrypting the encrypted files. The cyber crooks behind Sexy ransomware also try to intimidate users by saying that the only one that could decrypt files is [email protected]. In addition, they also threaten users that any attempts to decrypt files by themselves will result in the loss of their data. However, you shouldn’t believe such threats as these threats are merely a ploy to get users to believe that the only way to recover the files is to contact them. And more importantly, if you are one of the unfortunate victims of Sexy ransomware, paying the ransom is not recommended as you will end up losing your money for nothing. You have to obliterate Sexy ransomware from your computer before you try to recover your files.
How does Sexy ransomware proliferate?
Sexy ransomware infiltrates system through spam emails. According to researchers from BedyNet.ru, Sexy ransomware makes use of the most common distribution method as some computer users are not cautious enough in opening suspicious-looking emails. Cyber crooks usually disguise the email as an important document like invoice or receipts from well-known companies like DHL, UPS and more. That’s why you have to be cautious in opening emails even if they came from well-known companies. It would also be better if you keep both your system and antivirus program updated all the time to increase your computer’s resistance against ransomware infections and other cyber threats.
To obliterate Sexy ransomware refer to the following removal guide:
Step 1: Tap Ctrl + Shift + Esc keys to open the Task Manager.
Step 2: After opening the Task Manager, look for Sexy ransomware’s malicious process, right click on it and select End Process or End Task.
Step 3: Close the Task Manager.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 4: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 5: Navigate to the following path:
HKU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Step 6: Look for a value named BrowserUpdateCheck created by Sexy ransomware and delete it.
Step 7: Close the Registry Editor and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look for Sexy ransomware or any suspicious program and then Uninstall it/them.
Step 9: Tap Win + E to launch File Explorer.
Step 10: After opening File Explorer, navigate to the following locations below and look for Sexy ransomware’s malicious components such as the html file named how_to_back_files.html as well as the malicious file Sexy ransomware came with.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 11: Close the File Explorer.
Step 12: Empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Sexy ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Make sure that you have completely removed Sexy ransomware from your computer, to do so, follow the advanced removal guide below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.