What is X1881 ransomware? And how does it execute its attack?
X1881 ransomware is a new variant of the CryptoMix ransomware group. This new variant was first observed in October 16, 2017. There are only a couple of differences to the X1881 ransomware to other CryptoMix ransomware variants – one of which is the .x1881 extension that it appends on the affected files. After it gains access to your computer’s files, it scans the following file formats and encrypts them.
.aif, .apk, .arj, .asp, .bat, .bin, .cab, .cda, .cer, .cfg, .cfm, .cpl, .css, .csv, .cur, .dat, .deb, .dmg, .dmp, .doc, .docx, .drv, .gif, .htm, .html, .icns, .iso, .jar, .jpeg, .jpg, .jsp, .log, .mid, .mp3, .mp4, .mpa, .odp, .ods, .odt, .ogg,.part, .pdf, .php, .pkg, .png, .ppt, .pptx, .psd, .rar, .rpm, .rss, .rtf, .sql, .svg, .tar.gz, .tex, .tif, .tiff, .toast, .txt, .vcd, .wav, .wks, .wma, .wpd, .wpl, .wps, .wsf, .xlr, .xls, .xlsx, .zip.
During the encryption process, the ransomware continues to use the 11 RSA 1024 keys in encrypting the files just like the other previous CryptoMix ransomware variants. After that, it appends the x1881 extension on each files. It also creates a registry entry in the Windows Registry files such as HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Admin”=”C\ProgramData\[Random].exe””. Since the ransomware contains 11 public RSA 1024 encryption keys that is used to encrypt files, this allows the ransomware to work completely even when offline and with no network connection. After the encryption process, X1881 delivers its ransom note in a text file named as _HELP_INSTRUCTION.txt containing the following text:
“Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
[email protected]
[email protected]
[email protected]
[email protected]
Please send email to all email addresses! We will help You as soon as possible!
DECRYPT-ID-[RANDOM CHARACTERS] number”
Apart from encrypting the files, X1881 ransomware also deletes the Shadow Volume copies of the files to keep users from recovering the encrypted files. This means that it would be very hard for you to recover your files without a decryption key. It would also attempt to disable other recovery options on the infected computer to make it even harder for you to restore your files. Despite that being the case, paying the ransom should not be a part of your solution as the cyber criminals behind X1881 ransomware might only trick you and won’t give you the decryption key once they got the payment. Your best option for now is to use any backup copies of the encrypted files and to wait until a free decryptor is available.
How does X1881ransomware transmit its infection?
X1881 ransomware transmits its infection through the use of malicious spam email campaigns where they attach the corrupted file used to install X1881 on your computer. Usually, these kinds of files are disguised to trick users into downloading and opening it. Aside from spam emails, the CryptoMix ransomware group is also known to spread its infection using the RIG exploit kit. This hacking tool is a JavaScript code and since it is flexible, cyber criminals can inject the infection on any website and not just on poorly secured domains. This exploit kit is designed to take advantage of a specific vulnerability and target it. To prevent the exploit kit from targeting your computer, make sure that you always keep your system updated and the same goes for your antivirus program as well.
The steps given below will help you obliterate X1881 ransomware. Follow them thoroughly for a successful removal.
Step 1: Tap Ctrl + Shift + Esc to open the Task Manger.
Step 2: Once you’ve opened the Task Manager, go to the Processes tab and look for x1881 ransomware’s process and end it by clicking on End Task or End Process.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for X1881 Ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for X1881 ransomware’s malicious components such as _HELP_INSTRUCTION.txt and other suspicious files and then delete all of them.
- C:\ProgramData\[random].exe
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the paths listed below and look for the registry entries that X1881 ransomware created:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Admin”=”C\ProgramData\[Random].exe””
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Step 10: Delete the registry keys and sub-keys created by X1881 ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
To make sure that nothing is left behind and that the X1881 is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.