PedCont ransomware - How to remove

On June 4th, 2018 malware analyst Leo shared a new ransomware discovery called PedCont. This crypto-extortionist makes false accusations of the victim supposedly browsing the deep web for gruesome, illegal content and asks to pay for it $50 USD (0.0065 BTC) ransom. The truth is that the virus attacks, not just the Darknet surfers but anyone who has an access to the internet. In this article, 2-viruses.com team will teach you the most important things about the PedCont virus and how to delete it.

PedCont ransomware virus

PedCont ransomware worries the cybersecurity specialists because it seems to be spreading as an innocent double SFX screensaver or video file. That means that once opened virus can decompress and extract all the malicious contents automatically without any additional program or permission. What is more, PedCont might have destructive tendencies which are still being researched.

What is so special about PedCont virus

PedCont is a packer ransomware, which is compiled and packed by BobSoft Mini Delphi packer. This technique not only makes the file smaller but also helps to evade the detection and cyber specialist detailed analysis. Other packer ransomware viruses that use similar technique are Locky, CryptoWall, CTB Locker, GandCrab. Check more information about the packers on SecuringTomorrow.mcafee.com.

Although the sophisticated looking protection, PedCont unlike the other ransomware viruses doesn’t encrypt any files, nor obviously use any extension to mark them. It simply asks for a ransom for not reporting the victim to the officials, because of the visited/downloaded illegal content on the darknet. This technique seems like a foolproof approach, which couldn’t provoke the compromised machine’s owners to pay, especially if they don’t know how to even access the DeepWeb and have never been there.

However, malware professionals noticed that the infected virtual machine screens, where the virus is being tested, would turn black and unresponsive after a while, meaning that the PedCont virus probably deletes the display drivers. While there is a discussion whether this happens only on the researchers’ VMs or also on the actually infected systems it gives room for interpretation that PedCont ransomware can actually be really destructive and dangerous.

After intruding the system the attack takes places in the ‘Local’ files directory making changes to the registry as well. It overcomes the PC’s protection, copies itself to restore every time with a system restart and then displays the ransom message.

The ransom note displays this text:

!!! ATTENTION !!! – Please read this immediately:

Dear potential criminal,
– Due to you actively seeking out child pornography or similarly illegal content on the
Deep Web, you have been infected with our ransomware called PedCont.

– WHAT HAS ALREADY HAPPENED:
All of your sensitive data, location and files – pictures, videos, documents, etc. – have been auto-collected and saved to an external server and will be stored & protected for the next 72 hours (counting from the first time you see this message). If we do not receive any cooperation from your part once the time is up, international authorities WILL be contacted and sent detailed information about everything that we have scraped from your computer.
While it is no longer necessary for this program to stay on your computer, should you wish to prevent legal prosecution and safely get rid of our records, do NOT manually remove it, but instead follow the steps listed below.

How does PedCont virus spread

At the moment the PedCont ransomware spreads disguised as a screensaver or video file name AliceRides.mp4_Unpack.WinRAR_SFX.scr. It seems to have the SFX extension that allows the virus to unzip and execute the rest of the files necessary to complete the infection, therefore, the victim can download PedCont voluntarily thinking that it is just a regular video or screensaver. The malicious parasite can also distribute through spam email attachments, torrents, bundles, ads and etc.

Based on the the IP address of tigersweb.cf leads to the UK. The malicious address seems to also be accepted by greenaddress.lt with an IP from the USA. What is interesting that the main attacking domain tigersweb.cf seems to still be free and available to purchase but when opened it shows the ransom amount determined on your IP.

How to solve PedCont ransomware infection

There are mainly two ways you can solve the PedCont parasite caused issues – automatic and manual removal. No matter the virus telling you not to try deleting it, it is a bluff just like the ransom note saying that you were engaged in some illegal DarkNet activities. It is crucial to remove the PedCont before it can cause more troubles.

The easiest method, of course, is automatic removal with anti-malware programs, like Spyhunter , which are slightly different than just regular antivirus, that you probably already have. Regular antivirus sometimes doesn’t have the newest virus database, nor the capabilities to clean the infection completely, unlike spyware removal software that specifically is made for that. More about the differences on Lifehacker.com.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

The other technique requires a bit more work because you manually have to do all the tasks yourself. This shouldn’t be your first choice but sometimes the PedCont can be blocking the ability to download anything from the internet or install security software that’s when you should follow the step-by-step guide on how to remove PedCont ransomware on your own.

Detailed guide how to remove PedCont virus manually

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 8 / 10

  • Press Power at Windows login screen. Then press and hold Shift key and click Restart.Windows 8-10 restart to safe mode
  • Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.Windows 8-10 enter safe mode

 

2. Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared.Restore point img1
  • Select one of the Restore Points that are available before PedCont malware has infiltrated to your system and then click “Next”.Restore point img2
  • To start System restore click “Yes”.Restore point img3

You can also read more about system restore here. Since Pedcont doesn’t lock the files there is no need for the decryptor or any other recovery.

Leave a Reply

Your email address will not be published. Required fields are marked *