What is [email protected] File Extension Ransomware? And how does it carry out its attack?
[email protected] File Extension Ransomware is a new variant of the infamous Jigsaw ransomware group. As you can see on its interface shown above, this new Jigsaw variant still keeps the very same design that’s close to the design of the first Jigsaw ransomware. It first carries out its attack by modifying an existing entry in the Windows Registry so it can automatically execute itself with each system boot.
After the ransomware establishes itself into the targeted system, it will begin its search for different kinds of files to encrypt. Usually, the Jigsaw ransomware family targets files with the following extensions:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as.txt, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxf.c, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip
Once it is able to find all the files it is set to encrypt, the encryption process begins. Following the encryption, marks the encrypted files with the [email protected]. After that, [email protected] File Extension ransomware will open a window that shows the Jigsaw character and the following text:
“I want to play a game with you. Let me explain the rules:
Your personal files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently,
therefore I won’t be able to access them, either.
Are you familiar with the concept of exponential growth? Let me help you out.
It starts out slowly then increases rapidly.
During the first 24 hours you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.
If you turn off your computer or try to close me when I start next time
you will get 1000 files deleted as a punishment.
Yes you will want me to start next time since I am the only one that
is capable to decrypt your personal data for you.
Now, let’s start and enjoy our little game together!
1 file will be deleted.
Please, send at least $150 worth of Bitcoin here:
[Address redacted]”
How does [email protected] File Extension Ransomware proliferate?
[email protected] File Extension ransomware proliferate using malicious spam email campaigns. This new Jigsaw variant has a malicious payload named Xbox-One-Mod-Menu.exe which suggests that this ransomware is targeting gamers who are trying to obtain a menu mod on their USB flash drives and launch it using their USB drives on the Xbox One console for a particular online game.
Follow the instructions laid out below carefully to obliterate [email protected] File Extension ransomware and its malicious processes from your computer.
Step 1: Open the Task Manager simply by tapping the Ctrl + Shift + Esc keys on your keyboard.
Step 2: Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources like Xbox-One-Mod-Menu.exe and is most likely related to [email protected] File Extension ransomware.
Step 3: After that, close the Task Manager.
Step 4: Tap the Win + E keys to launch File Explorer.
Step 5: Next, navigate to the following locations below and look for the malicious components of [email protected] File Extension ransomware such as Xbox-One-Mod-Menu.exe as well as other suspicious files and then delete all of them.
- C: \Users\<your username>\AppData\Roaming
- %APPDATA%
- %APPDATA%\System32Work\ Address.txt
- %APPDATA%\System32Work\ dr
- %APPDATA%\System32Work\ EncryptedFileList.txt
- %LOCALAPPDATA%
- %UserProfile%\Local Settings\Application Data
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
- %TEMP%
Step 6: Close File Explorer.
Step 7: Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 8: Under the list of installed programs, look for [email protected] File Extension ransomware or anything similar and then uninstall it.
Step 9: After that, Close Control Panel.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following path:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step 11: Delete the registry keys and sub-keys created by [email protected] File Extension ransomware.
Step 12: Close the Registry Editor and empty your Recycle Bin.
It is important to make sure that nothing is left behind and that [email protected] File Extension ransomware is completely removed using the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.