Ransomnix virus - How to remove

Ransomnix ransomware virus has made its debut after its controllers hacked into an online shopping website called Themerchantadventurer.com. This is one of the few crypto-viruses that influence domains and their databases. Variant from 2016 called JapanLocker also had chosen this strategy of influencing webpages. In the description of this domain, we noticed a very straightforward statement, clearly linking this attack to the notorious Anonymous group: We are Anonymous, We are legion, We don’t forgive, We don’t forget, United as one, Divided by zero, Expect us.

We also discovered that another website has become a victim of Ransomnix infection: Aidomservices.org.

Ransomnix crypto-virus threatens websites

Nevertheless, ransomware samples that include elements of this group have been noticed before: Anonymous virus is one of them. The hacking professionals have been involved in a number of stories, including the DDoS attacks against hospitals and operations against child pornography. Of course, Ransomnix creators might only be posing as members of this group to conceal their true identity better.

Ransomnix ransomware virus

Usually, such infections (allegedly by Anonymous) feature an image of a white mask which has become the symbol of the latter group of hackers: NTK and Zyka samples attempt to intimidate people with this logo as well.

An extension of .crypt is indicated to have been applied to all of the data that was encrypted by Ransomnix virus. This is not an original extension as preceding ransomware infections have appended it to the encoded digital data. CryptXXX and GlobeImposter have both been noticed to extent filenames with these additions.

This could be not the only attack that Ransomnix malware will choose to complete: it has the capacities to affect other websites as well and demand ransoms from their owners. These attacks are no news to security researchers even though most file-encoders are designed to inflict on Windows operating systems (Naked Security Sophos).

Ransomnix virus

We have very little knowledge on the subject why Merchant Adventurer website, a seemingly ordinary provider of luxurious materials from around the world, would have become a target for the group of Anonymous (or other hackers that claim to belong to this organization). The official website of this shop facility is currently down and the ransom has reached 39 BTC as controllers of the online shop have clearly refused to pay. The demanded ransom equals 170442.87 USD and we have very little hope that the online shop will have enough resources to retrieve their locked database.

The content of the ransom note suggests that hackers do not care who their victims are. Following this statement, it could be possible to predict that basically any domain could suffer from influence of Ransomnix website virus. Please read the following sections to protect websites from being hacked.

Protect your websites from the same fate

At first, hackers that generated this malware infection will demand an amount of 0.5 BTC to be sent to a specific bitcoin wallet. However, each day after the hack, requested fee will grow. Once the ransom is paid, hackers will allegedly provide software for decryption. While this might sound tempting, we have to remind users and website owners that crooks rarely stand by their promises.

You could surrender your money and still have your website out of service. Therefore, we would propose that website owners would not pay the demanded ransoms, but if you regard this as the only choice, you should share the received decryption software with professional experts of cybersecurity. The email address to contact crooks is [email protected].

We have an obligation to remind our visitors the best techniques to use for website protection. Your servers should be protected with appropriate software. Spyhunter has done a great job in serving its clients. Additionally, you should apply two-factor authentication and protect your domain with complicated passwords.

Keeping your server operating system and software you run on your domain up-to-date is also a very important task. Controllers of websites have also been instructed to start using HTTPS which provides stronger encryption. Please consider these options very carefully as you would not wish to have your website invaded by vicious hackers, demanding ransoms.

How to recover Ransomnix virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Ransomnix virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Ransomnix virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Ransomnix virus. You can check other tools here.  

Step 3. Restore Ransomnix virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Ransomnix virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Ransomnix virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *