EnybenyCrypt ransomware is a new crypto-locking virus, which is based on Hidden Tear open-source project. Once it enters the system it encrypts all stored data in your hard drives and demands a ransom in exchange for a decrypting key. This malware is one of the most notorious types, because even after its full removal users are left to deal with the not-so-pleasant consequences, meaning that the locked personal files stay unaccessible.
Enybenycrypt Ransomware quicklinks
- What is EnybenyCrypt ransomware
- How does EnybenyCrypt virus spread
- How to remove EnybenyCrypt ransomware and restore your files
- Automatic Malware removal tools
- How to clean your PC from EnybenyCrypt virus manually
- How to recover EnybenyCrypt ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover EnybenyCrypt ransomware encrypted files
Fortunately, cybersecurity specialists are keeping up with cyber criminals and EnybenyCrypt virus damage can be potentially reversed even without paying the requested fee (it is not clear how much developers are asking but it might be between a Few hundred to a few thousand dollars).
So if your files are locked and marked with a .crypt888 extension, and wallet is not overflowing with unnecessary money, which you could risk losing, then you will find this 2-viruses.com article interesting and useful, because we’ll show you best possible ways to get rid of EnybenyCrypt ransomware and recover your files, therefore, please, keep on reading.
What is EnybenyCrypt ransomware
EnybenyCrypt virus was discovered by the malware expert GrujaRS on October 29th, 2018. As we mentioned before, this ransomware is made by using the sample of Hidden Tear virus template, which was posted on GitHub primarily for educational reasons, but continuously is misused by crooks to make actual crypto viruses. That is why most fo the qualities of EnybenyCrypt ransomware are typical for any other Hidden Tear variant, such as HiddenBeer, EbolaRnsmwr, Qinynore or IT.Books.
You can recognise EnybenyCrypt cryptovirus by the most obvious feature – extension .crypt888, which is added to each locked file’s name (‘samplefile.jpg’ turns into ‘samplefile.jpg.crypt888’). This is done to scare and increase victim’s fear trying to push them to pay, just like the ransom note ‘Hack.html’, which is dropped on the desktop and is threatening to delete all your personal data if you won’t contact crooks via email ([email protected]). Take a look at this note ‘Hack.html’:
Your files was encrypted with AES-256 Millitary Grade Encryption
Contact to [email protected] or im flush your files to toilet and fuck using my dick!
As the EnybenyCrypt ransomware developers are claiming, this crypto-demanding virus is using the fast AES-256 algorithm to encrypt the files, which is a very typical characteristic of Hidden Tear variant. This encryption only takes a few moments to complete, however nowadays is not the most reliable option and is often decryptable. But before you see the outcome of EnybenyCrypt virus infection, this malware must complete tons of tasks in the background so that it could successfully thrive.
Once EnybenyCrypt cryptovirus enters the Windows OS (it does not infect Macs), it pastes itself in various system directories like Windows, Program Files and Temp folder just so the threat would gain more privileges and stay persistent. Furthermore EnybenyCrypt ransomware modifies Windows registry keys, to open up every time you restart your PC. At the same time, virus quickly runs a scan of the system and finds targeted files by their extension, which can be locked, such as pictures, videos, music, documents and etc. then encrypts them and adds the appendix .crypt888. This does sound like a lot of work but actually takes only A few seconds.
You can see the actual real-live EnybenyCrypt ransomware infection demonstration in the video posted by the same Gruja, a cybersecurity expert, below. If you are interested in the technical details, feel free to explore as much as you want on VirusTotal.com report.
How does EnybenyCrypt virus spread
There are several possible infection ways that EnybenyCrypt virus might end up compromising your computer, but some methods are way more popular than others, such as spreading through Phishing emails. Compared to drive-by downloading, distributing via messaging apps or exploiting Web servers, socially engineering emails and inserting ransomware installer into MS Word Macros is significantly easier and more effective, especially for the script kids, who don’t possess much of a technical knowledge.
Presumably, EnybenyCrypt ransomware was made by amateurs, who were not strong enough with their computer skills to develop their own unique cryptovirus (because it is a difficult task) and went for the easiest option – alter the already made sample. This is why malicious email attachments seem to be the most believable distribution technique.
Hackers write some short message claiming that the attached .docx file requires your immediate attention and that you need to open it for more information. It can be anything from someone’s resume to invoice or even a letter from the government. After opening that word file it will ask you to enable Macros, and that’s when the virus will be launched and your system compromised.
How to remove EnybenyCrypt ransomware and restore your files
The very first step that you need to do when your Windows is infected with EnybenyCrypt cryptovirus is to remove it completely, without leaving any related files, because if you will try restoring your locked data when virus is still there, you might re-encrypt it twice, which will be impossible to recover later. Our favourite anti-spyware tools which can be fully trusted with ransomware infections are Malwarebytes and SpyHunter. All you need to do is to install any of them, and run a fully system scan. Then malware removal program will detect the issue and delete it using the sophisticated termination methods. Of course, there are a few other great products to choose from, but years have proven that Malwarebytes and SpyHunter are very reputable and reliable.
Once Windows OS is EnybenyCrypt virus-free, you can begin restoring your precious files, which will still be locked. EnybenyCrypt ransomware does not have its own separate unlocker yet, however, since .crypt888 is just one of many altered Hidden Tear versions, you should try restoring your files with the common HiddenTear project Decryptor tool. If that does not seem to work, check if your Shadow Copies are still not deleted and try recovering from them, as shown in the instructions below, as well as trying the mentioned file-recovery programs.
Automatic Malware removal tools
How to clean your PC from EnybenyCrypt virus manually
If you are one of these lucky and responsible people who make backups regularly, then you won’t even need to get any software. Just recover your PC back to the state right before the EnybenyCrypt virus infection. Mind you, this works only for those who do have working backups. If files don’t matter to you anyway, then perform a full System restore to have a clean virus-free start.
How to recover EnybenyCrypt ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before EnybenyCrypt ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of EnybenyCrypt ransomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to EnybenyCrypt ransomware. You can check other tools here.
Step 3. Restore EnybenyCrypt ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually EnybenyCrypt ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover EnybenyCrypt ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.