October 28, 2016
A new ransomware cryptovirus called Encryptile has appeared. All encrypted files will have the .EncrypTile extension appended to their names. The ransomware claims to use AES and RSA encryption algorithms. The ransom note gives a contact email with a Philippine-based domain. To see how to remove the ransomware and how you can try to restore your data, carefully read this article.
Encryptile Ransomware – Infection
The Encryptile ransomware can infect your computer machine using a couple of methods. Spam email campaigns might be spreading its payload file. Spam mail is designed in such a way that you would think the letter you have received is important along with the attachment inside. If you open the attached file, it will infect your computer as the malicious code inside is executed. The payload file in question can be a Trojan horse and can be an executable file, and you can see an example of one such file in the database of VirusTotal:
Other ways of infection exist for the Encryptile ransomware. For instance, the malware makers could be distributing the files through social media and file-share networks. The malicious payload could be put as a file on these platforms in order to infect more users. You should refrain from opening files from suspicious sources like emails and links. Scan them first with a security program and check their signature and size. You should read the tips for preventing ransomware in our forum.
Encryptile Ransomware – Analysis
A new ransomware cryptovirus has been found recently, and it goes by the name of Encryptile. The malware researcher Karsten Hahn has reported about the discovery. It will encrypt your files and put an extension of the same name to them. A ransom note will appear as a picture and in a program window after the encryption process is complete.
When the Encryptile ransomware executes its payload, it might make entries in the Windows Registry for achieving resilience. These registry entries are designed to make the virus start automatically every time the Windows operating system boots up. Afterward, your data gets encrypted, and then the ransom message pops up on your desktop screen. The ransom note is in a file called Decrypt_[ID].txt.
You can preview the ransom message from the below snippet:
The text reads the following:
Your files are safely encrypted with strongest AES encryption and a private RSA key
Warning! If anti-virus deletes software then look at the screenshot and text documents. You can still get your files if you pay by the time. Any cracking attempts will result in a termination of both keys.
Your important files are encrypted with a AES and RSA key, only for this computer. To unlock all of your files as if nothing ever happened, please send 0.053773 bitcoin to the bitcoin address by 3 days or both keys will be terminated and your files will be sold. There are tutorials and links to popular bitcoin markets to help you buy bitcoin easier. There is video proof the password downloads after payment, and that the decryption is flawless and you can’t recover/restore any files without the keys. Send the exact amount of bitcoin. Wait a few minutes and hit “Check payment”. After payment, the keys will download and the AES key will appear. Then go to “Decrypt” and enter the AES key. Web browsers and basic programs are only allowed until you pay. We will decrypt 1 file. E-mail us with your ID and file.
ID: [your ID will be displayed here] 1Q8bF8MgLpZkcmHXPSFjjdpDfGMPVTHjSn
[Deadline] If anti-virus stopped software, e-mail ID after you pay.
How to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)
https://localbitcoins.com , https://paxful.com/buy-bitcoin
The ransom note also loads in a program window which is supposed to be a decrypting tool. The tool unlocks your files only if you pay the ransom. Alas, in many cases ransomware creators do not decrypt your files back and do not even contact you back to give you a solution. Do NOT even think of paying the ransom. Nobody can guarantee you that by paying you will get your files back. Besides, the crooks will probably use the money to create more ransomware viruses or fund other criminal activity.
You can see the program window with the ransom message right here:
Currently, it is not known what extensions get locked by this ransomware, but as soon as there is information on the matter, the article will be updated with a list.
All encrypted files will have the .EncrypTile extension appended to them, after their name. The encryption process uses the AES and RSA algorithms or at least that is what it is claimed to be used, according to the ransom note message.
The Encryptile ransomware is more than likely to delete the Shadow Volume Copies from the Windows operating system with the following command:
→vssadmin.exe delete shadows /all /Quiet
Keep on reading to see what kinds of methods you can try out to possible restore your data and files.
Remove Encryptile Ransomware and Restore .EncrypTile Files
If your computer got infected with the Encryptile ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Encryptile.
Manually delete Encryptile from your computer
Note! Substantial notification about the Encryptile threat: Manual removal of Encryptile requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.