'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware

Posted: March 15, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	511
Threat Level:	1/10
Infected PCs:	202,093

First Seen:	March 15, 2016
Last Seen:	October 17, 2023
OS(es) Affected:	Windows

The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware is a new variant of TeslaCrypt, a file encryptor that holds PC data hostage in exchange for ransom money. Although the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware includes upgraded features for its threat authors, victims will experience overall similar attacks to other threats from this family, including changed file names. As with past iterations of TeslaCrypt, malware experts consider the combined use of file backups and anti-malware tools crucial for removing the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware and eliminating its side effects.

The Premium Data Recovery that's Worse than It Looks

The generations of copycat threats and spinoffs aren't always due to lack of creativity on the part of Trojan coders. Some new versions of threats also are created based on previously proven, working templates, but with updates that help them avoid PC security solutions. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware is one of these threats, a new TeslaCrypt version with significant changes aimed at blocking Cisco-brand data recovery applications. Although these changes don't have any impact on the main attacks suffered by its victims, they can block previously recommended solutions for reverting the file damage.

The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware operates along the same lines as its older variant, by scanning your hard drive for files of certain types. Non-essential files unrelated to your operating system are sent through an encryption routine, rearranging their data and making them unreadable. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware then adds a new extension to their names (such as MP3) but doesn't convert them to that format. Lastly, it drops a ransom note for its victims to read. Either the note or the extension may include randomly generated letters that vary between infection scenarios, with no meaningful changes to their functionality.

By blocking previously-released tools that could decrypt your files, the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware leaves paying its ransom fee as one of the most obvious solutions to its attacks. However, malware researchers traditionally don't endorse such transactions, which come with no legal backing or certainty that these people will deliver any decryption service after they take their payment.

A Less Random Way of Saving Your File Data from File Encryptors

Since relying on the largesse of threat authors comes with problems of its own, victims of the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware infections should use alternate recovery solutions. In broad practice, malware experts recommend using remote file backups especially, such as cloud-based services, for overwriting any previously encrypted information. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware also has shown no signs of deleting the local backup data stored on Windows machines, although that caveat is not true of all file encrypting Trojans.

The campaign for the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware has shown an explicit focus on drive-by-download attacks for installing this threat. Drive-by-downloads can distribute themselves in corrupted advertisements or websites, often via exploit kits that can scan for multiple, relevant vulnerabilities. There are few or no symptoms related to a successful drive-by-download usually, although the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware's ultimate payload is a high-visibility attack. PC users with concerns about the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware should use updated software, threatening website blacklists, script blockers, and other, browser-oriented security solutions to remove the bulk of these exploits.

Whatever means you prefer for protecting your PC, always remove the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware with a fully-patched anti-malware product before recovering any encrypted data.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

C:\Users\<username>\AppData\Roaming\7 9\svchost.exe

File name: svchost.exe
Size: 23.04 KB (23040 bytes)
MD5: 4155fc2722b435e1510b44f8f0a413b5
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\7 9\svchost.exe
Group: Malware file
Last Updated: May 31, 2023

C:\Users\<username>\Downloads\GUIMiner-Scrypt-win_x64-v0.05-20140818\GUIMiner-Scrypt-win_x64-v0.05-20140818\poclbm.exe

File name: poclbm.exe
Size: 24.06 KB (24064 bytes)
MD5: 472279a849d0e4423f4c7d70844315c4
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\Downloads\GUIMiner-Scrypt-win_x64-v0.05-20140818\GUIMiner-Scrypt-win_x64-v0.05-20140818\poclbm.exe
Group: Malware file
Last Updated: September 24, 2023