What is ShkolotaCrypt ransomware? And how does it execute its attack?
ShkolotaCrypt ransomware is a new file-encrypting malware found to be targeting Russian-speaking users. It applies a combination of AES and RSA encryption algorithms in encrypting the files in a computer. It demands a ransom of thousands of rubles in Dash crypto-currency which is equivalent to 0.1 Dash. It uses a “.crypted” extension in marking its encrypted files, the same with other ransomware threats like GlobeImposter and CryptoLocker.
Once it is able to infect a system, a malicious payload is dropped into the system responsible for loading ShkolotaCrypt on the infected machine. ShkolotaCrypt ransomware has the same functionalities as GlobeImposter and will exclude system folders from being encrypted. It encrypts files with specific file extensions such as:
.3gp, .7z, .accdb, .ai, .avi, .bmp, .cdr, .divx, .djvu, .doc, .docm, .docx, .eps, .fb2, .flv, .gif, .gz , .gzip, .jpeg, .jpg, .mdb, .mdv, .mkv, .mov, .mp4, .mpeg, .mpg, .ods, .odt. pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .pub, .rar, .raw, .rtf, .svg, .swf, .tar-gz, .tgz, .tiff,. txt, .webm, .wmv, .wps, .xlr, .xls, .xlsb, .xlsm, .xlsx, .zip, .zipx
The instant it finds these files, it encrypts them using the AES and RSA ciphers and afterward, it appends the “.crypted” extension to every compromised file and then opens a text file named “READ ME!!!.txt” that contains the following message:
“What happened to my files?
All your important files were encrypted using strong RSA-4096 and AES-256 algorithms.
File decryption is possible only with the help of the encryption key stored by us.
What to do to get the encryption key?
To obtain the key, you must pay a ransom in the amount of about a thousand rubles (EXACTLY 0.10004672 in the Dash cryptocurrency at Dash address XvW7aLVhJbvqvjnt7zkngBowWRhUi1Xwin ).
After payment, you must send your unique identifier to one of our mailboxes.
If we see that the payment has been made, we will send you a descrambler and encryption key.
Where to get the ID?
Your unique identifier:
㖖 㗌 㕲 㔅 㖉 㕭 㕫 㗅 㖛 㖛 㔦 㕂 㗅 㖦 㖘 㗯 㖟 㗋 㔑 㔑 㔮 㗰 㕽 㕏 㗙 㔩 㗶 㔌 㔌 㕒 㕆 㕩
It was also recorded in your buffer exchange
Where is the guarantee that after paying the ransom I can recover my files?
You can send us an email with an identifier one encrypted file up to 5 megabytes.
We will decrypt it and will send you as proof that we can decrypt your files.
How to send Dash?
Dash can be sent using the following monitoring service for exchangers:
https://www.bestchange.ru/yandex-money-to-dash.html
Or register on the Payeer website and exchange money for Dash on the stock exchange inside the website:
HTTPS: // payeer. com
Or you can use itOther cryptocurrency exchanges
What will happen if I do not pay the ransom?
You can restore files only by decrypting them. No antivirus office will help you.
If payment is not made within three days, 20% of the encrypted files will be irretrievably destroyed.
If payment is not made within seven days, all encrypted files will be destroyed!
Our email addresses for contacts and questions:
[email protected]
[email protected]
You can read about RSA and AES algorithms on Wikipedia.
This file is on your desktop, you can open it again to read this text.”
As usual, when dealing with file-encrypting malware, paying the ransom is definitely not recommended. So the best way to deal with it is by wiping it out of your computer and use whatever backup copies you have until a free decrypter is available.
How does ShkolotaCrypt ransomware proliferate?
ShkolotaCrypt ransomware proliferates using several distribution methods. For one, malicious email campaigns where crooks attach a seemingly legitimate file that actually contains malicious scripts used to initiate its attack in the system. Crooks tend to disguise these malware-laden emails so you need to double-check the email first before you download any kind of attachment.
Eliminating ShkolotaCrypt ransomware from your computer wouldn’t be that easy so you need to follow the removal guide provided below.
Step_1: The first thing you need to do is to obliterate the process of ShkolotaCrypt ransomware by opening the Task Manager – simply tap the Ctrl + Shift + Esc keys on your keyboard.
Step_2: After that, switch to the Processes tab and look for any suspicious-looking process that takes up most of your CPU’s resources and is most likely related to ShkolotaCrypt ransomware and then end them all.
Step_3: Now that the malicious processes are eliminated, close the Task Manager.
Step_4: Next, tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step_5: Under the list of installed programs, look for ShkolotaCrypt ransomware or anything similar, and then uninstall it.
Step_6: Then close Control Panel and tap Win + E keys to launch File Explorer.
Step_7: Navigate to the following locations below and look for the malicious components of ShkolotaCrypt ransomware like the file named READ ME!!!.txt, updater.exe, and [random].exe as well as other suspicious files it has created and downloaded into the system and then delete all of them.
- %LOCALAPPDATA%
- %APPDATA%
- %TEMP%
- %WINDIR%\System32\Tasks
- %APPDATA%\Microsoft\Windows\Templates\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step_8: Close the File Explorer.
Before you go on any further, make sure that you are tech-savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use Restoro this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step_9: Tap Win + R to open Run and then type in Regedit in the field and tap enter to pull up Windows Registry.
Step_10: Navigate to the following path:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step_11: Delete the registry keys and sub-keys created by ShkolotaCrypt ransomware.
Step_12: Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows Previous Versions feature will only be effective if ShkolotaCrypt ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Congratulations, you have just removed ShkolotaCrypt Ransomware in Windows 10 all by yourself. If you would like to read more helpful articles and tips about various software and hardware visit fixmypcfree.com daily.
Now that’s how you remove ShkolotaCrypt Ransomware in Windows 10 on a computer. On the other hand, if your computer is going through some system-related issues that have to get fixed, there is a one-click solution known as Restoro you could check out to resolve them.
This program is a useful tool that could repair corrupted registries and optimize your PC’s overall performance. Aside from that, it also cleans out your computer for any junk or corrupted files that help you eliminate any unwanted files from your system. This is basically a solution that’s within your grasp with just a click. It’s easy to use as it is user-friendly. For a complete set of instructions in downloading and using it, refer to the steps below
Perform a full system scan using Restoro. To do so, follow the instructions below.
