What is {[email protected]}.exe ransomware? And how does it implement its attack?
{[email protected]}.exe ransomware is one of the latest variants of Scarab ransomware that’s been spotted in August 2019. Specifically, it is a new and improved version of the Scarab-Bin ransomware that uses a “.{[email protected]}.exe” extension in marking its encrypted files. Apart from the extension and email address, as well as its ransom note, there are no other notable changes in this new Scarab variant.
Upon infiltration, {[email protected]}.exe ransomware will make changes in the infected computer. These changes include the new addition of malicious files that are placed in system folders. These malicious files ensure that {[email protected]}.exe ransomware won’t get detected by any antivirus programs installed in the computer while some of these malicious files make adjustments in the Windows Registry to allow the crypto-malware to run in every system boot.
After these modifications, {[email protected]}.exe ransomware will begin its main attack by encrypting various files. Right after the encryption, it adds the .bitcoin suffix at the end of every file’s name which signifies that the files are locked. Following data encryption, it releases a text file named “!!! RESTORE YOUR FILES !!!.txt” which contains the following message:
“Hello, my friend … =)
All your files do not work, because they are encrypted.
To decrypt the files write me mail:
[email protected]
[email protected]
You must specify this personal identifier (ID):
+41AAAAAAACZ1P07FZHJEQA5CARTGavIPnH-f3KICbPe2ikqWuihuzXievslvRdz8Sjrr2Ca2xTa Mke1WUWBKLF2FSrkLEgn1ZP5kV6NpFbqu2qe1HXX8AAk6vZZAZT6N03]fwjXVXM2utVdjgHRX +F8qm-wsXPYUYHEHzaoktrFYm7CylhPIV7w4ZhPG0h6tJD9y0DfWDJPEfQdnB0SZ5p3AYoIAW Lss9Ecx319+621pB-jS3vzl0ggYTix5kojN=3GAyrM6TusJ]pdQR=KLoc6aV3MaMKfEaXCgncszwl aMQU0qSGigQR5Xm36MQ9IUFZNRIDk
If you do not receive an answer, write to me again, write at the same time to three mails))”
How is the payload file of {[email protected]}.exe ransomware distributed online?
The payload file of {[email protected]}.exe ransomware is most likely distributed via spam emails. This isn’t surprising as spam emails are the go-to distribution method commonly used not just by scarab developers but also other ransomware developers. Cyber crooks usually attach the malicious payload into these emails and tend to make them look like they were sent by some well-known company or group. This is why you need to be careful in opening emails even if it seems like it is sent by some trusted individual or company as it might contain the malicious payload of Scarab [email protected] ransomware.
Killing {[email protected]}.exe ransomware and its malicious components from your computer wouldn’t be that easy so you need to follow the given removal guide below carefully as well as the advanced steps that follow.
Step_1: Tap the Ctrl + Alt + Delete keys at the same time to open a menu and then expand the Shutdown options which are right next to the power button.
Step_2: After that, tap and hold the Shift key and then click on Restart.
Step_3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step_4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step_5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step_6: Go to the Processes tab and look for any suspicious-looking processes that could be related to {[email protected]}.exe ransomware and then end their processes.
Step_7: Exit the Task Manager and open the Programs and Features section under Control Panel by pressing the Windows key + R, then type in “appwiz.cpl” and then click OK or tap Enter.
Step_8: From there, look for any suspicious-looking programs that could be related to {[email protected]}.exe ransomware and then uninstall it.
Step_9: Close the Control Panel and tap Win + E keys to open File Explorer.
Step_10: Now navigate to the following locations and look for the malicious components created by {[email protected]}.exe ransomware like “!!! RESTORE YOUR FILES !!!.txt” and “[random].exe” and then make sure to delete them all.
- %APPDATA%
- %TEMP%
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step_11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech-savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use Restoro this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step_12: Tap Win + R to open Run and then type in Regedit in the field and tap enter to pull up Windows Registry.
Step_13: Navigate to the listed paths below and look for the registry keys and sub-keys created by {[email protected]}.exe ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step_14: Delete the registry keys and sub-keys created by {[email protected]}.exe ransomware.
Step_15: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows Previous Versions feature will only be effective if {[email protected]}.exe ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions and then click the Restore button.
Congratulations, you have just removed {[email protected]}.exe Ransomware in Windows 10 all by yourself. If you would like to read more helpful articles and tips about various software and hardware visit fixmypcfree.com daily.
Now that’s how you remove {[email protected]}.exe Ransomware in Windows 10 on a computer. On the other hand, if your computer is going through some system-related issues that have to get fixed, there is a one-click solution known as Restoro you could check out to resolve them.
This program is a useful tool that could repair corrupted registries and optimize your PC’s overall performance. Aside from that, it also cleans out your computer for any junk or corrupted files that help you eliminate any unwanted files from your system. This is basically a solution that’s within your grasp with just a click. It’s easy to use as it is user-friendly. For a complete set of instructions in downloading and using it, refer to the steps below
Perform a full system scan using Restoro. To do so, follow the instructions below.