What is WhiteRose ransomware? And how does it implement its attack?
WhiteRose ransomware is a new crypto-virus designed to encrypt files in an infected PC. This newly discovered crypto-malware does not seem to belong to any ransomware groups. This means that this ransomware threat does not have any code snippets from well-known ransomware families so it is possible that the sample has been bought from the dark web or it could also be a customized version of a ransomware threat.
WhiteRose ransomware employ the AES encryption algorithm in locking its targeted files. The moment it infiltrates a computer, it quickly starts to implement its attack by making modifications in the system – making sure that nothing interferes with its attack. Before it starts the encryption, it first looks for the following file types in the computer:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip
It then starts the encryption process by using the AES cipher and appending the .WHITEROSE extension on each one of the affected data. Following data encryption, WhiteRose ransomware releases a ransom note name “HOW-the TO-the-RECOVERY-files.txt”. Its ransom note is quite lengthy and it stands out among all the ransom notes of other ransomware threats since the developers of the ransomware wrote a story that seems to express passion for writing and willingness to plant a garden of white roses and give gifts to people all around the globe which is really quite the opposite. Here are some snippets of the ransom note:
“///////////////////////////////////////////////////
[Recovery Instructions] I. Download qTox on your computer from [https://tox.chat/download.html] II. Create new profile then enter our ID in search contacts
Our Tox ID: “6F548F21789***”.
III. Wait for us to accept your request.
- Copy ‘[PersonalKey]’ in “HOW-TO-RECOVERY-FILES.TXT” file and send this key with one encrypted file less size than 2MB for trust us in our Tox chat.
IV.I. Only if you did not receive a reply within 24 hours from us,
send your message to our secure tor email address “[email protected]
”.
IV.II. For perform “Step IV.I” and enter the TOR network, you must download tor browser
and register in “http://torbox3uiot6wchz.onion” Mail Service)
- We decrypt your two files and we will send you.
- After ensuring the integrity of the files, We will send you payment info.
VII. Now after payment, you get “WhiteRose Decryptor” Along with the private key of your system.
VIII.Everything returns to the normal and your files will be released.
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////”
How does WhiteRose ransomware spread its malicious payload?
It is not clear yet how WhiteRose ransomware spread its malicious files though it might also use the most common ransomware threat distribution method – spam emails. These spam emails contain malicious files used to download and install WhiteRose ransomware into the system.
Carefully follow the following removal guide to obliterate WhiteRose ransomware.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the WhiteRose Ransomware.
Right-click on the processes then click Open File Location and scan them using a powerful and trusted antivirus like [product-name]. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 3: Look for WhiteRose ransomware or any malicious program and then Uninstall it.
Step 4: Hold down Windows + E keys simultaneously to open File Explorer.
Step 5: Go to the directories listed below and then look for the corrupted files created by WhiteRose ransomware such as its malicious payload named “HOW-the TO-the-RECOVERY-files.txt” as well as other suspicious files you can find and delete all of them.
- C:\Users\(your pcname)\AppData\Roaming
- %TEMP%.
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 6: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-code], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 7: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 8: Navigate to the following path:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step 9: Delete the registry keys and sub-keys created by WhiteRose ransomware.
Step 10: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if WhiteRose ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the advanced instructions below to ensure the removal of WhiteRose ransomware as well as all the files it left behind.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download [product-name]. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run the program to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.