What is MindLost ransomware? And how does it carry out its attack?
MindLost ransomware is a new crypto-malware that also goes by the name “Paggalangrypt”. Based on the analysis done by security researchers, this ransomware threat seems to be targeting developers and not typical PC users. However, the analysis also revealed that MindLost ransomware might still be under development. Its first samples were first spotted last month. Nonetheless, this ransomware could still encrypt files though it only currently targets the small number of file extensions such as:
.c, .jpg, .mp3, .mp4, .pdf, .png, .py, .txt
As soon as it is able to grab a hold of a targeted system, it will search the above-mentioned file extensions on all the storage devices with the exception of the folder containing the strings, “Windows”, “Program Files” and “Program Files (x86)”.
One of the telltale signs that MindLost ransomware is still on its development phase is that its filter in searching for targeted files is still not active yet as this kind of capability could take time so the current state of this ransomware is that it only bypasses this kind of ability and encrypts files in the “C:\\Users” folder. After it’s done with the encryption process, the ransomware will download an image from the URL, http://image.ibb[.]co/k06xZ6/insane_uriel_by_urielstock_4.jpg and will set it as the new desktop wallpaper which contains the following message:
“Don’t Lose Your Mind But All Of Files Have Been Encrypted
Now it’s not too late, you can still get them back and go back to your life. All you have to do is go to xxxx://mindlost.azurewebsites.net and pay 200$ and all of your files will be available to you again.
When paying (and you will) enter your computer”s ID. You can find your computer”s ID in a file called ID.txt in your Desktop folder. Afterwards, enter your credit card information to complete the payment.
Now you can also purchase an insurance for an extra 50$. This means you will never be attacked by us again. This is strongly advised unless you want to go through all this again.
When you finish paying just go to your Desktop folder, run Decrypter.exe and all of your files will be safety decrypted and available to you again.
Q: What does it mean that all of my files have been encrypted?
A: All of your files are safe and can be restored. They are simply not accessible to you unless you have the key to decrypt them which we will only provide if you pay us. Also, don”t bother trying to break the encryption it’s not possible.
For more information you can go to xxxxs://en.wikipedia.org/wiki/Advanced_Encryption_Standard or at xxxx://mindlost.azurewebsites.net”
How is MindLost ransomware disseminated?
Since MindLost ransomware is still in its development phase, it isn’t being actively distributed YET. But it will be soon. So you must take precautions in opening any kind of email attachment even if it seems like the sender is a well-known person or company.
These are the steps you need to follow to remove MindLost ransomware from your PC in case your PC got infected in the future.
Step 1: Tap the Ctrl + Shift + Esc keys to open the Task Manager.
Step 2: After opening the Task Manager, look for MindLost’s malicious processes, right click on it and select End Process or End Task.
Step 3: Close the Task Manager.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 4: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 5: Navigate to the following paths:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 6: Under the paths listed above, look for registry values created by MindLost ransomware and delete it.
Step 7: Close the Registry Editor and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look for MindLost ransomware or any suspicious program and then Uninstall it/them.
Step 9: Tap Win + E to launch File Explorer.
Step 10: After opening File Explorer, navigate to the following locations below and look for MindLost ransomware’s malicious components and delete them all.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 11: Close the File Explorer.
Step 12: Empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if MindLost ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Make sure that you have completely removed MindLost ransomware form your computer, to do so, follow the advanced removal guide below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.