What is SOREBRECT ransomware? And how does it work?
SOREBRECT is a ransomware Trojan that mainly targets high-profile targets and businesses compared to individual computer users. It is a sophisticated malware that manages to carry out its attack without the delivery of a file, making its attack even more effective and difficult to eliminate. In the late spring of 2017, SOREBRECT ransomware was first discovered and has carried out its attack in several countries like Russia, the United States, Mexico, Italy, China and Japan.
As pointed out, SOREBRECT does not deliver any executable file on the targeted computer but rather injects its code into a legitimate file processes operating in the system. Through this, the ransomware goes unnoticed and free to carry out its attack that’s difficult to stop compared to your regular ransomware infection. In most cases, the malware uses brute force attacks that take advantage of poor password protection, on remote desktop connections and other system vulnerabilities. Once it is able to infiltrate the computer, SOREBRECT ransomware starts to carry out its attack by injecting its code into the svchost.exe process which is found on the Windows system folder. It takes advantage of the PsExec utility to connect to the malware to configure it and wreak havoc. What’s more is that it erases all of traces of itself during its attack to prevent malware researchers from analyzing it to prevent them from coming up with a solution to remove it and restore the encrypted files. In addition, it deletes the shadow volume copies of the targeted files to make sure that you won’t be able to recover those using Windows Previous Versions feature. After its encryption, it creates a file named “READ ME ABOUT DECRYPTION.txt” which is the ransom note containing the following message:
“Your files were encrypted.
Your personal ID is: [128 RANDOM CHARACTERS]
To buy private key for unlocking files please contact us:
[RANDOM EMAIL ADDRESSS]
Please, include the ID above.”
Our research team has also found out that SOREBRECT ransomware creates a key in the Windows Registry to display a notice called “Legal Notice” every time you log in. ince the registry key is activated, you will see the following message when you log in:
“Dear owner. Bad news:
your server was hacked.
For more information and recommendations,
Write to our experts by e-mail.
When you start Windows, Windows Defender works to help
Protect your PC by scanning for malicious or unwanted software.”
As you can see, SOREBRECT is not your typical ransomware. It is a much improved and sophisticated ransomware that you shouldn’t take for granted. And so eliminating it as soon as possible would be the best course to take. To do so, follow the removal instructions below.
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Go to the Processes tab and look for svchost.exe or any suspicious processes and then kill them.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for SOREBRECT ransomware or any suspicious program and then Uninstall.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and delete everything in it. Or other directories you might have saved the file related to SOREBRECT ransomware.
Step 7: Look for the ransom note created by SOREBRECT ransomware, “READ ME ABOUT DECRYPTION.txt” and delete it.
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that SOREBRECT ransomware created. So if you are not familiar with the Windows Registry skip to Step 12 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 8.
Step 8: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 9: Navigate to the path below:
Step 10: Look for the registry key that SOREBRECT ransomware created and delete it as well as other suspicious registry value.
Step 11: Close the Registry Editor.
Step 12: Empty the Recycle Bin.
Step 13: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 14: After loading the Command Prompt type cd restore and hit Enter.
Step 15: After cd restore, type in rstrui.exe and hit Enter.
Step 16: A new window will appear, and then click Next.
Step 17: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the SOREBRECT Ransomware.
Step 18: A dialog box will appear, and then click Next.
Step 19: After the system restore process, download SpyRemover Pro to remove any remaining files or residues of the SOREBRECT Ransomware.
Follow the continued advanced steps below to ensure the removal of the SOREBRECT ransomware:
Perform a full system scan using SpyRemover Pro.
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- Click OK to launch SpyRemover Pro.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.