Cybercrime brought extortion to the masses as the phenomenon of ransomware emerged years back. Not only can computer perpetrators now serve crypto malware to numerous users in one hit over exploit kits and spam, but they are also able to buy and sell turnkey infections as part of an affiliate scheme called RaaS, which stands for Ransomware as a Service. The latter most likely holds true for Mobef, a breed of file-encrypting trojans that even rookies can get on underground sites and then share revenue with the creator. Although it doesn’t appear to be a high-end sample from a tech perspective, it’s got the malicious essentials under the hood, including a strong data encryption capacity, obfuscated communication with the C&C server, and ransom payment channels.
Having applied a crypto routine to lock one’s files, some versions of the Mobef ransomware append the .keyh0les or .keyz extension to every item, although such a concatenation might not necessarily occur. The infection creates ransom instructions inside each path containing ciphered data. The filename is composed of the current date and the “Infection.txt” string. The message within coincides with a warning displayed on the desktop background. It says “Hey. Your files are now encrypted. I have the key to decrypt them back. I will give you a decrypter if you pay me. Email me at firstname.lastname@example.org or email@example.com.”
As opposed to other widespread ransomware, this one doesn’t provide links to a standalone payment service hosted on a Tor gateway. Instead, the black hat hackers suggest that the victim shoot them a message over email and get recovery instructions in response. Interestingly, if the above webmail accounts are suspended due to an abuse of the provider’s Terms of Service, the victims are told to download the P2P communication client called Bitmessage and reach the operator this way. The offending application assigns unique identifiers to every contaminated person, which they should include in the message. These include such parameters as YourID, PC, and USER.
Mobef runs on a system as the tmp.exe process, whose name may be preceded by random numbers in some cases. Unfortunately, terminating this executable and removing all components of the ransomware doesn’t fix the whole problem. Files remain encoded, so it takes a specially crafted methodology to get them back.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other trojans while operating.
It has been mentioned that the Mobef ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that this infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by Mobef malware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.