Ransomware is a computer malware virus that locks down your system and demands a ransom to unlock your files. There are essentially two different types. First, PC-Locker, which locks the entire machine, and Data-Locker, which encrypts specific data, but allows the machine to function. The main objective is to incite money to the user, normally paid in a cryptocurrency such as bitcoin.

Identification and decryption

First of all, you will need to know the family name of the ransomware that has infected you. This is easier than it seems. Simply search for malwarehunterteam and upload the ransom note. It will detect the family name and often walk you through the decryption. Once you have the last name, matching the note, the files can be decrypted with Teslacrypt 4.0. First of all, it will be necessary to configure the encryption key. Selecting the extension attached to encrypted files will allow the tool to set the master key automatically. When in doubt, simply select .

Data recovery

If this doesn’t work, you’ll need to try a data recovery yourself. Often though the system may be too damaged to recover much. Success will depend on a number of variables, such as operating system, partition, file overwrite priority, disk space management, etc.). Recuva is probably one of the best tools available, but it’s better to use it on an external hard drive rather than installing it on your own operating system drive. Once installed, simply run a deep scan and hopefully the files you’re looking for will be recovered.

New encryption ransomware targeting Linux systems

Known as Linux.Encoder.1 malware, personal and business websites are under attack demanding bitcoin payment of around $500 for file decryption.

The attackers discovered a vulnerability in the Magento CMS and quickly took advantage of the situation. While a patch for the critical Magento vulnerability has now been issued, it is too late for web administrators who woke up to find the message that included the chilling message:

“Your personal files are encrypted! The encryption occurred using a unique public key… to decrypt the files you need to get the private key… you need to pay 1 bitcoin (~420 USD)”

It is also believed that the attacks could have taken place on other content management systems, making the number of those affected currently unknown.

How malware attacks

The malware manages to run with the levels of an administrator. All home directories as well as associated website files are affected and the damage is done using 128-bit AES cryptography. This alone would be enough to cause a lot of damage, but the malware goes further and scans the entire directory structure and encrypts various files of different types. In every directory it enters and causes damage through encryption, a text file is placed which is the first thing the administrator sees when logging in.

There are certain elements that the malware looks for and these are:

• apache install

• Nginx Installations

• MySQL installations found in the structure of the target systems

According to reports, it also appears that log directories are not immune to attack and neither are the contents of individual web pages. The latest, and perhaps most critical, places it hits include:

• Windows executables

• document files

• Program Libraries

• javascript

• Archive Active Server Pages (.asp)

The end result is that a system is being held back to bail out businesses knowing that if they cannot decrypt the files themselves, then they will either have to give in and pay the lawsuit or suffer severe business interruption for an unknown period of time.

Requests made

In each encrypted directory, malware attackers drop a text file called README_FOR_DECRYPT.txt. The demand for payment is made with the only way that decryption is done through a hidden site through a gateway.

If the affected person or company decides to pay, the malware is programmed to start decrypting all files and then starts undoing the damage. It seems that it decrypts everything in the same encryption order and the parting shot is that it deletes all the encrypted files as well as the ransom note itself.

Contact the Specialists

This new ransomware will require the services of a data recovery specialist. Be sure to let them know of any steps you’ve taken to recover the data yourself. This can be important and will certainly affect success rates.