What is Sequre ransomware? And how does it execute its attack?
Sequre ransomware is a file-encrypting virus that was first discovered in the last week of April 2018. This crypto-malware utilizes the AES encryption algorithm in encrypting the files it targets. It appears to be a strain of CryptConsole 2.0 ransomware. As soon as it enters a system, it will try to achieve persistence by modifying Windows settings as well as creating some entries in the Windows registry. Though it starts to execute its attack like a typical ransomware, Sequre ransomware is quite unique as it consists of several executables encrypted by C# program that launches them into the memory directly instead of only an executable file completing the attack.
These executables that are encrypted with C# and launched directly into the memory will be decrypted in real time which allows the crypto-malware to evade the signature-based scans of AV programs. It is also possible that there is a stealth protection engaged right after the file-encrypting malware is installed in the system.
During its attack, Sequre ransomware gathers information about the infected system. It can target both of the anonymous metrics used by cyber crooks in determining how effective the Sequre ransomware campaign really is. It targets various file formats like .html, .doc, .jpg, .mp3, .mp4 and many more. After the encryption, Sequre ransomware creates its ransom note in a file named “HOW DECRYPT FILES.hta” containing the following message:
“Your files are encrypted!
Your personal ID
NQFWTAPP72VXJI2TKUFGN2107016WN0KDU9UYCUI
Discovered a serious vulnerability in your network security.
No data was stolen and no one will be able to do it while they are encrypted.
For you, we have automatic decryptor and instructions for remediation.
How to get the automatic decryptor:
1) 0.14 BTC
Buy BTC on one of these sites:
- https://localbitcoins.corn
- https://www.coinbase.com
- https://xchangetcc
bitcoin address for pay:
14vo2jGKGemxwWKySqPKJ2kTh4MoboqAbG
Send 0.14 BTC
2) Send a screenshot of payment to
[email protected] . In the letter include your personal ID(look at the beginning of this document).
3) You will receive automatic decryptor and all files will be restored
* To be sure in getting the decryption, you can send one file(less than 10MB) to
[email protected] In the letter include your personal ID(look at the beginning of this document). But this action wi increase the cost of the automatic decryptor on 0.01 btc…
Attention!
- No Payment = No decryption
- You really get the decryptor after payment
- Do not attempt to remove the program or run the anti-virus tools
- Attempts to self-decrypting files will result in the loss of your data
- Decoders other users are not compatible with your data, because each user’s unique encryption key
- If you can’t send a message, try to write with the other e-mail address, for example, register mail.india.com”
How are the malicious files of Sequre ransomware disseminated?
The malicious files of Sequre ransomware are disseminated using malicious spam email campaigns. To protect your computer from harmful threats like Sequre ransomware, you should never open suspicious attachments especially if they ask you to enable a macro function to open the file.
To obliterate Sequre ransomware from your system, make sure to follow the removal steps below.
Step 1: Tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step 2: Go to Processes and look for the malicious process of Sequre ransomware then right click on it and select End Process or End Task.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for dubious programs that might be related to Sequre ransomware and then Uninstall it/them.
Step 5: Tap Win + E to launch File Explorer.
Step 6: After opening File Explorer, navigate to the following directories below and look for malicious components of Sequre ransomware such as HOW DECRYPT FILES.hta and remove them all.
- %TEMP%
- %APPDATA%
- %DESKTOP%
- %USERPROFILE%\Downloads
- C:\ProgramData\local\
Step 7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by Sequre ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step 10: Delete the registry keys and sub-keys created by Sequre ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
Restore the previous state of your files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Sequre ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To ensure the removal of Sequre ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.