What is Ordinal ransomware? And how does it execute its attack?
Ordinal ransomware is a new rasnsomware Trojan created using the infamous HiddenTear open source platform. This was first discovered on October 20, 2017 and targets regular PC users. As of the moment, it is identified by multiple security programs as:
- Trojan ( 004de29f1 )
- malicious_confidence_100% (W)
This crypto-malware does not show any peculiar traits. On the other hand, it downloads a particular wallpaper from https://i.imgur.com during its infiltration. According to security experts, this new ransomware is similar to ViiperWare rasnomware and AnonCrack ransomware which are all built on the same open source platform. However, this particular ransomware can also be downloaded on the Dark Web for free and it is next to impossible in finding out who is behind this new threat.
During its infiltration, Ordinal ransomware scans the drives in your PC looking for files to encrypt. After that, it starts the encryption process using the AES 256 military-grade cipher and adds the .Ordinal extension on each of the affected files. It then proceeds to deliver its ransom note which is loaded on the screen using the Notepad program and is named as READ ME To Get Your Files Back.txt and contains the following text:
Follow the instructions to unlock your data
YOUR FiLES ARE ENCRYPTED
All your files have been encrypted with AES-256 Military Grade Encryption
Your files have been encrypted, the only way to recover your files is to pay the fee. Once you have paid the fee all your files will be decrypted and return to normal.
Send the required fee (found below) to the Bitcoin address (found below). Once you have sent the required fee to the Bitcoin address send an email with your Identification key (without this we can’t help you). It may take 12-24 hours to us to respond. You will receive a Decryption Program + Decryption Key.
WHAT NOT TO DO
DO NOT RESART/TURN OFF YOUR COMPUTER
DO NOT ATTEMPT TO RECOVER THE FILES YOUR SELF
DO NOT CLOSE THIS PROGRAM
DECRYPTION KEY WILL BE DELETED FROM OUR SERVERS IN 7 DAYS FROM TODAY
Bitcoin Address: 1HMnuFLBUex2ykPMFtVs7cnP8aENbwy
Amount to Send: 1.00 BTC
Contact [email protected]”
The cyber crooks behind Ordinal ransomware demands a payment if 1 BTC which is approximately $5732 in exchange for the decryption program you need to restore your encrypted files by contacting the given address which is at [email protected]. However, it is a common knowledge that paying the ransom does not necessarily mean that the crooks will really give you the encryption program. In fact, they might only ignore you once they got the payment. The best thing you can do is to try to restore your files using Windows Previous Versions or use any backup copies you have or just wait until security experts come up with a free decryption tool.
How does Ordinal ransomware spread its malicious files?
Ordinal ransomware invades system using macro-enabled document attachments that are sent out using malicious spam email campaigns. When you open this kind of document, it will run a command responsible in installing Ordinal ransomware into your computer. You also have to beware of downloading contents from unsecure domains as they might contain a malicious file injected by this ransomware.
To eliminate Ordinal ransomware, make sure the you complete the set of instructions given below as well as the advanced steps that comes afterwards.
Step 1: Tap Ctrl + Shift + Esc to open the Task Manger.
Step 2: Once you’ve opened the Task Manager, go to the Processes tab and look for main.exe and end its process by clicking on End Task or End Process.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Ordinal Ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for Ordinal ransomware’s malicious components such as main.exe and the macro-enabled document it came with as well as other suspicious files and then delete all of them.
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
Step 10: Delete the registry keys and sub-keys created by Ordinal ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Ordinal ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To make sure that nothing is left behind and that the Ordinal is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.