A data-encrypting trojan called 7ev3n, which emerged in January this year, caused a lot of damage to contaminated computers and tons of frustration to the affected users. Not only did it demand an incomparably bigger ransom for file decryption than other threats of its kind, but it would also badly disrupt the functioning of host systems by disabling multiple Windows troubleshooting options. The latest spinoff dubbed 7ev3n-HONE$T has a milder impact on infected machines, but it turned out to be more manipulative and technically sophisticated. This brand-new variant encrypts one’s files with an unbeatable cryptographic algorithm, renames them in quite a peculiar fashion, appends the .r5a extension to each, and extorts 1.0 Bitcoin, or 400 USD, for restoration.
The 7ev3n-HONE$T ransomware ends up on PCs in one of the following ways: over an eye-catching email extension or through a covert exploit kit routine. Once the dropper is in, it creates several objects inside the Users\Public path. Among these is the conlhost.exe file, which is the executable that triggers the obfuscated encryption task. Some other items include the list of locked files and a timestamp of the encoding job completion. The pattern of file renaming routine is as follows: every filename in a given folder is assigned a numeric value starting with 1, and the above-mentioned .r5a string is put at the end.
Having fulfilled its filthy crypto objective, the infection reaches the victim via a warning screen that dots the i’s and crosses the t’s in terms of what happened and what to do next. In particular, it says: “Hi, your personal files were encrypted by 7ev3n-HONE$T. All your photos, media, documents, databases, MS Office and other important files were encrypted with strong algorithm.”
According to the ransom alert, the person has 72 hours to submit 1.0 BTC to a unique Bitcoin address, wait for about 30 minutes until the payment is confirmed, and then a few more hours for the automated decryption process to go all the way. The decrypt time depends on the volume of data, where the rate is 7GB per hour. The “honest” operators of the malware provide an option to decrypt up to 5 random files for free. Interestingly, the adversaries have introduced a feature of recovering half the files for 60% of the full ransom amount, which is 0.6 BTC.
7ev3n-HONE$T isn’t a run-of-the-mill ransomware. It features several payment options and a full automation of the decrypt procedure. Although it isn’t as aggressive as the original edition, the data is frozen just as efficiently and the victims are currently unable to reinstate all of their files unless they pay. However, to rescue some of the most important items users can try a couple of techniques that may fit the bill.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that the 7ev3n-HONE$T ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that the infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by this ransomware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.