What is File Spider ransomware? And how does it execute its attack?
File Spider ransomware is another malicious file-encrypting Trojan designed to encrypt files. It is connected to the spiderwjzbmsmu7y[.]File Spideron domain on the Tor network. This new threat is identified as a generic crypto-threat equipped with both the customized AES and RSA encryption algorithms. File Spider ransomware spreads through malicious spam emails and targets suers in Bosnia, Herzegovina, Serbia and Croatia. The malspam contains an attached word document with malicious macro scripts that pretends to be some sort of a debt collection notice. According to Google Translate the body of the email seems to be written in Serbian and starts with a subject “Potrazivanje dugovanja” which means “Debt Collection”, while the attached word document contains message written in Croatian. Once you open the macro-enabled document and click the Enable Editing followed by the buttons Enable Content, the macro embedded in the document will download the ransomware executable from a remote server and install it in the computer.
The macro-enabled document contains a Base64 encoded in PowerShell script that once executed will download XOR encrypted files named enc.exe and dec.exe from a remote server. The files will be saved to the %AppData%\Spider folder. Once these files are executed, File Spider ransomware will start to encrypt the files with the following extensions (note that the files listed below are only a FRACTION of what this ransomware targets):
lnk, url, contact, 1cd, dbf, dt, cf, cfu, mxl, epf, kdbx, erf, vrp, grs, geo, st, conf, pff, mft, efd, 3dm, 3ds, rib, ma, sldasm, sldprt, max, blend, lwo, lws, m3d, mb, obj, x, x3d, movie, byu, c4d, fbx, dgn, dwg, 4db, 4dl, 4mp, abs, accdb, accdc, accde, accdr, accdt, accdw, accft, adn, a3d, adp, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, bak, backup, cdb, ckp, clkw, cma, crd, daconnections, dacpac, dad, dadiagrams, daf, daschema, db, db-shm, db-wal, db2, db3, dbc, dbk, dbs, dbt, dbv, dbx, dcb, dct, dcx, ddl, df1, dmo, dnc, dp1, dqy, dsk, dsn, dta, dtsx, dxl, eco, ecx, edb, emd, eql, fcd, fdb.
On the encryption process, the ransomware uses the AES 128 encryption algorithm along with the RSA encryption algorithm. Whenever a file is encrypted, the ransomware will log the original file to %UserProfile%\AppData\Roaming\Spider\files.txt and will append the .spider extension on each file. After that, it will create a ransom note named HOW TO DECRYPT FILES.url as well as a file named DECRYPTER.url which opens the dec.exe file. Afterwards, the enc.exe file will create a file called %UserProfile%\AppData\Roaming\Spider\5p1d3r. It then shows a decrypter GUI wihc contains the following message:
“YOUR PC HAS BEEN INFECTED WITH FILE SPIDER VIRUS
As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.
The good news is that there is still a chance to recover your files, you just need to have the right key.
To obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!
Remember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.
To avoid the misunderstanding, pleases read Help section.”
File Spider is still currently being analyzed, so security experts will probably come up with a free decryptor soon enough. So since the encrypted files are impossible to recover using alternative methods, and note that paying the ransom is not a solution, you’ll have to settle for any backup copies you have of them until a free decryptor is available. For now, you have to prioritize the removal of File Spider ransomware. How? Follow the guide below.
Step 1: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 2: After loading the Command Prompt type cd restore and hit Enter.
Step 3: After cd restore, type in rstrui.exe and hit Enter.
Step 4: A new window will appear, and then click Next.
Step 5: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the File Spider Ransomware.
Step 6: A dialog box will appear, and then click Next.
Step 3: After System Restore is completed, log into your computer and tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step 4: Go to Processes and look for File Spider ransomware’s malicious process such as enc.exe and dec.exe, right click on it and select End Process or End Task.
Step 4: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 5: Look for dubious programs that might by related to File Spider ransomware and then Uninstall it/them.
Step 6: Tap Win + E to launch File Explorer.
Step 7: After opening File Explorer, navigate to the following locations below and look for File Spider ransomware’s malicious components such as the macro-enabled document, the enc.exe and dec.exe malicious executable files and then delete all of them.
Step 8: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the listed paths below and look for the registry keys and sub-keys created by File Spider ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 11: Delete the registry keys and sub-keys created by File Spider ransomware.
Step 12: Close the Registry Editor and empty the Recycle Bin.
Follow the continued advanced steps below to ensure the removal of File Spider Ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.