What is Eternity ransomware? And how does it execute its attack?
Eternity ransomware is a crypto-malware which created to encrypt files and leave them inaccessible to users in exchange for a ransom. This ransomware threat is developed by a hacker from Sri Lanka Madushan-Perera and it seems like this threat is related to the Stupid/FTSCoder malware. However, once it’s supposed to execute its attack, the ransomware crashes on the infected system due to a missing audio file which is supposed to play as soon as the lock screen message demanding ransom appears on the screen.
During the onset of its attack, it scans the system looking for files to target. It mainly targets files which contains the following extensions:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
Once it finds the files it sets to encrypt, it begins the encryption process by using the AES cryptography and adds the .eTeRnitY file extension at the end of each files’ names. Following its data encryption, it shows its ransom note in by locking the screen. In the locked screen is a message that states:
“AlL YOUR FILES HAVE the BEEN ENCRYPTED bY the Eternity Ransomware
yOu aRe UndeR CONTROL oF the Eternity Ransomware
AlL YOUR VideoS, PhotoS, DATABASES aNd Important FILES
HAVE the BEEN ENCRYPTED bY A StronG the ENCRYPTION the METHOD.
If yOu nEeD ThE DeCrYpTiOn kEy tO DeCrYpT YoUr fIlEs
pAy $ 1000 tO ThE FoLlOwInG BiTcOiN AdDrEsS.
BTC Address – 3a6dd5ad74e5sdsd25as656w4
Contact Us For More Details
Enter Your Decryption Key Here and Click on the Skull to Decrypt Your Files …”
On its ransom note, Eternity ransomware demands a ransom amounting to $1000 for data recovery which is quite pricey for a poorly coded ransomware infection. And even if the cyber crooks will really provide the encryption key once payment is sent, the price is really not worth it as there are other ways you can recover your encrypted files without shedding a cent. Hold your horses as the recovery option will be provided as you continue reading this article.
How is Eternity ransomware disseminated?
Eternity ransomware spreads using the old but gold distribution way for ransomware infection: spam email campaigns. Cybercrooks attaches obfuscated attachments like a word document with macro scripts or a malicious executable file disguised as a PDF file or a corrupted ZIP file. Therefore, you are advised to always be careful when dealing with emails even if they look like they came from a well-known company, organization or group, not even if the email tells you that you’ve won the lottery when you haven’t even as much as playing it.
To wipe out Eternity ransomware, follow the removal guide below which also contains the recovery option to recover your encrypted files.
Step 1: On the screen, there is a field where you’re supposed to key in the password – in there, type in 1234567890 and hit Enter to unlock your computer.
Step 2: Once you’ve unlocked your computer, pull up the Task Manager by tapping Ctrl + Shift + Esc keys on your keyboard.
Step 3: Go to the Processes tab and look for the processes of Eternity Ransomware and then end all of it.
Step 4: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 5: Look Eternity Ransomware and then uninstall it.
Step 6: Close Control Panel and tap Win + E keys to open File Explorer.
Step 7: Navigate to the following locations and look for Eternity ransomware’s installer and other related files and delete them all.
Step 8: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the listed paths below and look for the registry keys and sub-keys created by Eternity ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 11: Delete the registry keys and sub-keys created by Eternity ransomware.
Step 12: Close the Registry Editor.
Step 13: Empty your Recycle Bin.
Try to recover your encrypted files using their Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Eternity ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To make sure that Eternity is completely removed and that nothing is left behind, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once the download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.