What is Mystic ransomware?
Mystic ransomware is a ransomware Trojan which can leave your files inaccessible. It is a new file-encrypting threat discovered on September 14, 2017. According to researchers, the very name of this ransomware may possibly pertain to the Team Mystic in Pokemon Go. This malware manifests a strange behavior, because unlike typical ransomware infections, although it encrypts files, it does not append any file extension on them which makes it difficult to identify the infection. Mystic ransomware tends to encrypt files located in the Desktop and launches a series of processes listed below:
- dll
- netapi32
- dll
- dll
- dll
- dll
Mystic ransomware also runs RASMAN or Remote Access Connection Manager which enables it to connect to its remote server. It scans your computer’s drives to look for files to target. It mainly targets files certain file types which are listed below.
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg, .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
It makes use of the AES encryption algorithm in encrypting files which means that the encrypted files can be decrypted using their Shadow Volume copies. The only thing you’ll find difficult is identifying which files it has encrypted since there are no telltale signs indicating the files it has encrypted. After the encryption process, it creates a ransom note named ransom.txt containing the following message:
“Your computer has been hacked and your files have been locked.
You have 5 days left to recover your files so quickly follow recovery process below.
Recovery Process in 3 easy steps (Automated System. No human intervention. Works 24/365):
1) Buy 1.01 BitCoin Approx 280$. (Easiest buying option is www(.)localbitcoins.com) and goto the following website:
[TOR-based site]
2) Send payment of 1.01 Bitcoin to the address in the website given above.
3) In approx 15 minutes after making the payment to the bitcoin address, Go back to the above website. If payment is successful then you will receive unlock instructions.
Don’t delete or modify this ransom file till recovery of files as no recovery is possible without this file. This file is on your desktop for future use.
List of files which have been locked are given below.
— MYSTIC”
As you can see, the ransomware demands 1.01 BTC ransom which is around $3900. The amount is no joke. The message also states that file recovery is simple if you follow the given instructions which include a link to the payment onion site that does not work properly. There is no need for you to pay that amount as there are other ways to recover your files instead of paying that insane amount of money.
How does Mystic ransomware proliferate?
According to security experts, Mystic ransomware spreads using spam emails. This is the common way to distribute ransomware infection so it isn’t surprising that Mystic uses it as well. These spam emails contain a malicious attachment. Once you open the infected attachment, the ransomware launches its attack on your computer.
Aside from spam emails, Mystic could also spread via malicious web pages containing exploit kits that are designed to drop these kinds of threats as soon as the browser loads. Therefore, with just a single click on a corrupted or suspicious link, you could be redirected to these malicious pages and get infected with Mystic ransomware.
Terminate Mystic ransomware by following the set of removal instructions below as well as the recovery option for the encrypted files.
Step 1: Tap Ctrl + Shift + Esc to open the Task Manger.
Step 2: Once you’ve opened the Task Manager, go to the Processes tab and look for these malicious processes:
- dll
- netapi32
- dll
- dll
- dll
- dll
End each process.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Mystic ransomware or any suspicious program and then Uninstall it/them.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Navigate to the following locations below and look for Mystic ransomware’s malicious components such as ransom.txt and other suspicious files and then delete all of them.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Step 10: Delete the registry keys and sub-keys created by Mystic ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Mystic ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To make sure that nothing is left behind and that the Mystic is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.