What is ShkolotaCrypt ransomware? And how does it execute its attack?

ShkolotaCrypt ransomware is a new file-encrypting malware found to be targeting Russian-speaking users. It applies a combination of AES and RSA encryption algorithms in encrypting the files in a computer. It demands a ransom of thousands of rubles in Dash crypto-currency which is equivalent to 0.1 Dash. It uses a “.crypted” extension in marking its encrypted files, the same with other ransomware threats like GlobeImposter and CryptoLocker.
Once it is able to infect a system, a malicious payload is dropped into the system responsible for loading ShkolotaCrypt on the infected machine. ShkolotaCrypt ransomware has the same functionalities as GlobeImposter and will exclude system folders from being encrypted. It encrypts files with specific file extensions such as:
.3gp, .7z, .accdb, .ai, .avi, .bmp, .cdr, .divx, .djvu, .doc, .docm, .docx, .eps, .fb2, .flv, .gif, .gz , .gzip, .jpeg, .jpg, .mdb, .mdv, .mkv, .mov, .mp4, .mpeg, .mpg, .ods, .odt. pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .pub, .rar, .raw, .rtf, .svg, .swf, .tar-gz, .tgz, .tiff,. txt, .webm, .wmv, .wps, .xlr, .xls, .xlsb, .xlsm, .xlsx, .zip, .zipx
The instant it finds these files, it encrypts them using the AES and RSA ciphers and afterwards, it appends the “.crypted” extension to every compromised file and then opens a text file named “READ ME!!!.txt” that contains the following message:
“What happened to my files?
All your important files were encrypted using strong RSA-4096 and AES-256 algorithms.
File decryption is possible only with the help of the encryption key stored by us.
What to do to get the encryption key?
To obtain the key, you must pay a ransom in the amount of about a thousand rubles (EXACTLY 0.10004672 in the Dash cryptocurrency at Dash address XvW7aLVhJbvqvjnt7zkngBowWRhUi1Xwin ).
After payment you must send your unique identifier to one of our mailboxes.
If we see that the payment has been made, we will send you a descrambler and encryption key.
Where to get the ID?
Your unique identifier:
㖖 㗌 㕲 㔅 㖉 㕭 㕫 㗅 㖛 㖛 㔦 㕂 㗅 㖦 㖘 㗯 㖟 㗋 㔑 㔑 㔮 㗰 㕽 㕏 㗙 㔩 㗶 㔌 㔌 㕒 㕆 㕩
It was also recorded in your buffer exchange
Where is the guarantee that after paying the ransom I can recover my files?
You can send us an email with an identifier one encrypted file up to 5 megabytes.
We will decrypt it and will send you as proof that we can decrypt your files.
How to send Dash?
Dash can be sent using the following monitoring service for exchangers:
https://www.bestchange.ru/yandex-money-to-dash.html
Or register on the Payeer website and exchange money for Dash on the stock exchange inside the website:
https: // payeer. com
Or you can use itOther cryptocurrency exchanges
What will happen if I do not pay the ransom?
You can restore files only by decrypting them. No antivirus office will help you.
If payment is not made within three days, 20% of the encrypted files will be irretrievably destroyed.
If payment is not made within seven days, all encrypted files will be destroyed!
Our email addresses for contacts and questions:
[email protected]
[email protected]
You can read about RSA and AES algorithms in Wikipedia.
This file is on your desktop, you can open it again to read this text.”
As usual, when dealing with file-encrypting malware, paying the ransom is definitely not recommended. So the best way to deal with it is by wiping it out of your computer and use whatever backup copies you have until a free decrypter is available.
How does ShkolotaCrypt ransomware proliferate?
ShkolotaCrypt ransomware proliferates using several distribution methods. For one, malicious email campaigns where crooks attach a seemingly legitimate file that actually contains malicious scripts used to initiate its attack in the system. Crooks tend to disguise these malware-laden emails so you need to double check the email first before you download any kind of attachment.
Eliminating ShkolotaCrypt ransomware from your computer wouldn’t be that easy so you need to follow the removal guide provided below.
Step 1: The first thing you need to do is to obliterate the process of ShkolotaCrypt ransomware by opening the Task Manager – simply tap the Ctrl + Shift + Esc keys on your keyboard.
Step 2: After that, switch to the Processes tab and look for any suspicious-looking process that takes up most of your CPU’s resources and is most likely related to ShkolotaCrypt ransomware and then end them all.

Step 3: Now that the malicious processes are eliminated, close the Task Manager.
Step 4: Next, tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 5: Under the list of installed programs, look for ShkolotaCrypt ransomware or anything similar and then uninstall it.

Step 6: Then close Control Panel and tap Win + E keys to launch File Explorer.
Step 7: Navigate to the following locations below and look for the malicious components of ShkolotaCrypt ransomware like the file named READ ME!!!.txt, updater.exe, and [random].exe as well as other suspicious files it has created and downloaded into the system and then delete all of them.

• %LOCALAPPDATA%
• %APPDATA%
• %TEMP%
• %WINDIR%\System32\Tasks
• %APPDATA%\Microsoft\Windows\Templates\
• %USERPROFILE%\Downloads
• %USERPROFILE%\Desktop

Step 8: Close the File Explorer.
Before you go on any further, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 10: Navigate to the following path:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Step 11: Delete the registry keys and sub-keys created by ShkolotaCrypt ransomware.
Step12. Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if ShkolotaCrypt ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

After you’ve covered the steps provided above, you need to continue the removal process of ShkolotaCrypt ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
 

1. Turn on your computer. If it’s already on, you have to reboot it.
2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

3. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
4. Windows will now load the Safe Mode with Networking.
5. Press and hold both R key and Windows key.

6. If done correctly, the Windows Run Box will show up.
7. Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
8. After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
9. Once the installation process is completed, run [product-code] to perform a full system scan.

10. After the scan is completed click the “Fix, Clean & Optimize Now” button.