What is SevenDays ransomware? And how does it work?
Most of the ransomware infections’ goal is to extort money from their victims. This new ransomware infection called SevenDays ransomware, however, does not demand any sort of payment or ransom for recovering the encrypted files from its victims. Although it carries out its attack and encrypts files with a strong encryption, this ransomware does not provide or offer any way to recover the affected files at all, just like it does not provide any payment options or ransom note. And despite the fact that it does not demand any money from the affected users, this ransomware is no joke for it uses a strong encryption algorithm on its attack which will make it hard for users to recover their files. So if you are one the users who got infected with SevenDays, then sad to say that your encrypted files may as well have been deleted since as of writing this article, there is no way to decrypt or recover those files which makes this infection a very dangerous one.
SevenDays ransomware was first discovered in early August 2017. It was created using an open source program and seems to be developed by an independent group of cyber criminals and uses a combination of AES 256 and RSA 2048 encryption algorithms and uses it to append the extension, .SEVENDAYS. During its encryption attack, it targets the files with the following file extensions:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2
It then drops a file named HOW TO DECRYPT FILES.txt. This file is placed on two different locations: %ALLUSERSPROFILE%\Start Menu\Programs\Startup and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. One would think that this is the key to uncover some sort of information about the ransomware or how to recover the encrypted files. However it only contains a long string of “SEVENDAYSSEVENDAYSSEVENDAYSsEVENDAYS”. So obviously, that is the closest thing they have for a ransom note, leaving you without any clue about the malware and how to decrypt your files. It also changes the desktop background of your computer after its attack.
How does this ruthless ransomware spread?
As of now, there is no clear information as to how this ransomware is distributed. But it is most likely distributed using malicious spam email attachments. The malware may even create an email server that is used to send malicious emails to random email addresses with the aim to spread the infection on many users as much as possible. The malicious emails may be disguised as something that would trigger your curiosity such as tax return forms, invoices, receipts and a whole lot of other antics. So you shouldn’t, in any way, open any suspicious-looking emails and check the sender first to avoid dangerous threats like SevenDays ransomware. And it would also be better if you create copies of your important files.
Removing this malware would be really hard, but the removal guide below will help you in doing just how. Carefully follow each steps as you go on.
Step 1: Reboot your computer into Safe Mode
- Reboot your computer.
- Tap F8 when you see the BIOS screen.
- Select Safe Mode from the Advanced Boot Options menu using the arrow keys on your keyboard.
- Press Enter.
- And then proceed to remove the SevenDays ransomware.
- Tap two buttons: the Windows key and C on your keyboard and click Settings (if you use Windows 8/8.1) or click on the Start button (if you use Windows 10).
- Click Power.
- Hold the Shift key and click Restart.
- Click Troubleshoot.
- Click Advanced options.
- Click Startup Settings.
- Click on the Restart button.
- Tap F4.
- Proceed removing the SevenDays ransomware when your PC starts in Safe Mode.
Step 2: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for any suspicious processes that can be related to the malware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 3: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 4: Find SevenDays ransomware or any suspicious program and then Uninstall.
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that SevenDays ransomware created. So if you are not familiar with the Windows Registry skip to Step 13 onwards. Take note that, before you make any changes, you have to create a copy of the registry files by exporting them.
Step 5: Tap Win + R and type in regedit to open the Registry Editor.
Step 6: After opening the Registry Editor, navigate to the following path:
Step 7: Look for Alcmeter.
Step 8: Once you’ve found it, right-click on it and click Modify.
Step 9: After that, copy the file path in the value data box.
Step 10: Close the Registry Editor and hold down Windows + E keys simultaneously to open File Explorer.
Step 11: Paste the file path you copied from the Registry without the name of the executable file onto the address box and hit Enter.
Step 12: Once you’ve opened the location, look for the malicious file and delete it.
Step 13: Empty your Recycle Bin.
Follow the continued advanced steps below to ensure the removal of the SevenDays ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.