What is Atchbo Ransomware? And how does it implement its attack on the infected computer?
Atchbo ransomware is a new crypto-malware threat designed to encrypt files to make them inaccessible to users. According to researchers, this new ransomware seems to be related to Atchbo ransomware, which was came out before Atchbo ransomware, as they share quite many similarities. Atchbo is a highly dangerous malicious program set to take its victims’ files as hostage in exchange for a ransom. Atchbo ransomware arrives in the infected computer as Ransomware2.0v.exe file which starts to scan the entire computer drive for certain files to encrypt. And it turns out that it encrypts files with the following file extensions:
3g2, .3gp, .asf, .asx, .avi, .flv, .m2ts, .rm, .jpg, .tar.gz, .gif, .sqlite3, .html, .txt, .tar, .jpeg, .swf, .mkv, .mov, .vob, .png, .mp3, .pyc, .php, .log, .jar, .sh, .tiff, .mp4, .wmv, .docx, .mpg, .mpeg, .pdf, .rar, .zip, .7z, .exe, .c, .sql, .bak, .bundle, .cpp, .deb, .h, .pdf.
As soon as it finds the files, it immediately encrypts them using the AES 256 cipher and appends the .exo file extension. It then deletes the shadow volume copies of each file making it next to impossible to recover them using the Windows Previous Version feature. Hence, the only way to restore them is through a decryption key – which the cyber criminals have – or you could use any backup copies of your important files. After its encryption, Atchbo delivers its ransom note in a typical manner which is via a text file named as UnlockYourFiles[0-49].txt and places it in the desktop and several other locations in the computer. The full context of the ransom note is as follows:
“All files have been infected
Get decrypt your files in 4 steps
1.Go to “www[.]anycoindirect[.]eu/en/buy/bitcoins”
2.Pay 0.007 bitcoins to the BITCOIN Address in one of the Desktop Text Files
3.Once confirmed your files will be decrypted
- And you can ENJOY your computer.”
On its ransom note, Atchbo indicated that its victims will have to pay 0.007 Bitcoin which is approximately $35 – although not particularly high, that does not mean that you can just go ahead and pay the cyber criminals the ransom. Paying the ransom does not necessarily mean that you get to have your files back in a blink of an eye – that’s not it, in fact the crooks might extort more money from you or totally ignore you once they got the money. To put it simply, paying the ransom is simply not worth it no matter how much you can afford the ransom.
How does Atchbo ransomware multiply?
Atchbo ransomware multiplies all over the web using a malicious executable file named Ransomware2.0v.exe which is sent using spam email campaigns. It’s no surprise as most ransomware infection use this method in spreading the malware, not to mention that they even got better in disguising it so that unknowing users will download and install the infected file themselves. You can avoid it by double checking each email you receive especially the ones sent by unknown senders and always scan any attachment before you open them.
Follow the removal guide below to eliminate Atchbo ransomware from your computer.
Step 1: Restart your PC into Safe Mode with Networking.
Step 2: Tap Ctrl + Shift + Esc to pull up Windows Task Manager and look for Atchbo ransomware’s malicious process and end it.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Atchbo ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for Atchbo ransomware’s malicious components such as ExoGUI.exe, Ransomware2.0v.exe as well as all the copies of UnlockYourFiles[0-49].txt and then delete all of them.
- %ALLUSERPROFILE%\Start Menu\Programs
- %APPDATA%\Microsoft\Windows\Start Menu\Programs
- %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
- HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
Step 10: Delete the registry keys named ExoGUI_RASAPI32 and ExoGUI_RASMANCS created by Atchbo ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
To make sure that nothing is left behind and that the Atchbo is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.