Harmful is a barely accurate attribute to characterize the effect impaired by ransom trojans, because the damage tends to get tremendous. The only user that has nothing to worry about in the face of these attacks is one who doesn’t keep any information on their computer, which is fiction rather than a plausible scenario. Ransomware blocks out one’s access to data deposited on local drive volumes as well as mapped network shares. The latest edition of the notorious GPCode infection does exactly that, appending files with the .LOL! extension and creating a document with recovery tips named “how to get data.txt” inside every path with encrypted entities. As a result, the victim can no longer open files saved in more than 130 different formats.
The ransom instructions covered in the how to get data.txt file are split in two parts: a somewhat burlesque one titled JOKE, and a perfectly down-to-earth section that says SERIOUSLY at the beginning. In the former, the extortionists make fun of the infected person by emphasizing how lame their safety is and promising to deliver ‘educational benefits’ in the form of the Decryptor.exe program. The serious part then says “Your important files (photos, videos, documents, archives, databases, backups, etc.) were crypted with the strongest military cipher RSA-1024 and AES. No one can help you to restore files without our decoder.” Furthermore, the hackers emphasize that popular recovery tools like PhotoRec and RannohDecryptor won’t do the trick.
The bad guys recommend that the user send them an email to email@example.com, attaching the above-mentioned TXT instructions document and a couple of encoded files under 5 MB in size. The user will allegedly receive decrypted copies of the enclosed files and recommendations on how to proceed and get the decoder. At the end of the day, the victims find out that they need to pay 0.5 Bitcoins to get started on the recovery process.
It turns out that the circulation of the .LOL! file extension virus chiefly involves exploit kits and email attachments disguised as files that may be of interest to users. In the case of the exploit kit methodology, the success rate of ransomware deployment is much higher, because a great deal of Windows users have unpatched software running on their machines and all it takes for the payload to execute is a redirect to a malicious landing page from a random compromised website.
Although security labs and cryptography gurus have not yet found a way to restore data targeted by this edition of GPCode ransom trojan, some recovery techniques are worthwhile because they take advantage of the file properties that the ransomware may not meddle with.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other trojans while operating.
It has been mentioned that the .LOL! ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that this infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by .LOL! malware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.