Somik1 ([email protected]) - How to remove

Somik1 is a relatively new ransomware infection. It breaks the victim’s files by running them through a cryptographic algorithm and it asks for Bitcoins as “payment” for fixing them. Somik1 affects Windows PCs and its ransom notes are in English. It might be possible to fix the broken files for free with the decrypters that have been released by researchers, but it’s not guaranteed.

About Somik1 ransomware in short:

Classification	Ransomware.
Infections symptoms	Files renamed to have “[email protected]” as their second extension, files that open are full of random characters, ransom notes ask you to get Bitcoins and to contact Somik1’s developer.
How to fix the files	Restore them from a backup, use shadow copies, try the free decrypter.
How to remove Somik1	Delete malicious files manually, Use anti-malware programs like SpyHunter to delete Somik1.

How Somik1 ([email protected]) locks your files

Somik1 was discovered by S!Ri on Monday, January 6.

Somik1 is recognized by it appending the “[email protected]” address to the name of every encrypted file. For example, a file that used to be named “list.txt” becomes “[email protected]”. If your files look like that, Somik1 has made it on your system.

Somik1 created some ransom notes called WARNING.txt that start like this:

All your files have been encrypted due to a security problem with your PC.
If you want to restore them, write us to the e-mail [email protected]
…

The ransom notes look like they’ve been copied from Dharma – a lot of ransomware authors do that. But that doesn’t mean that Somik1 is related to Dharma in any way.

Somik1 and other ransomware use encryption to change the contents of each file to something unrecognizable. If an encrypted text file used to have something meaningful written in it, now it’s just noise and random characters. And most of your files can’t even be opened anymore because they’ve become so corrupted.

The point of encryption is that it’s completely reversible if you have the decryption key. Somik1 gives each victim a unique key and if you got your hands on that key and a decryption program, you might be able to fix all of your files. But Somik1’s author wants money for that.

How ransomware spreads

There’s not yet enough information about Somik1 to tell how it spreads other than the fact that its ransom note is written in English, so it’s probably aimed at English-speaking audiences. People anywhere can get infected, though.

Ransomware infections spread in various ways:

• emails with attached infected files,
• emails with links in them that download malicious files,
• infected sites that download malware,
• infected ads that redirect people to malicious sites,
• malicious or infected files and installed shared on filesharing sites (pirating),
• remote desktop hacking.

That last method is used to attack businesses and big organizations, often after the criminals have found out the usernames and passwords of the administrators.

Somik1 and similar infections could be avoided if you scanned every downloaded file, blocked malicious websites (some antivirus programs do that), and installed the newest software updates as they become available.

How to fix your files

Backups and other methods

If you have become a victim of Somik1, there are a few things you can do to get your files back that do not ask you to contact the people who made this ransomware:

• restore them from a backup if you have one,
• restore the files from their previous versions,
• try and decrypt the files with free tools.

Restoring your files from a backup is probably the fastest and most reliable way to deal with Somik1. The problem is that not everyone makes backups. A backup can be just a USB with your most important documents, cloud storage, or some other solution. The important thing is that ransomware like Somik1 can’t reach the backup storage.

Previous versions of files and folders can also be used to recover unencrypted files. That’s if Somik1 doesn’t delete these backups.

Possible Hidden Tear solution

Symantec (VirusTotal link) and the ransomware researcher Amigo-A suggest that Somik1 is based on Hidden Tear. Hidden Tear is open-source ransomware that was developed with an intentional weakness and released in 2015. A lot of infections were based on it, like Minotaur, HiddenBeer, and Shade8.  Unless Somik1’s author made necessary modifications, you may be able to use the Hidden Tear decrypter on your files to get all of them back.

A cybersecurity researcher and a hero for ransomware victims across the globe Demonslay335 has developed a lot of ransomware decryption tools, including one that can guess encryption keys used by Hidden Tear ransomware – link. If that worked out, you may try to use the decrypter – here’s the link – that he developed.

But remember, do not do this without first making backups of the encrypted files. Even if Somik1 is based on HiddenTear, it may be too different from it for these tools to work on it.

Besides, Somik1 should be removed to stop it from causing more problems (like encrypting files again). you can use any decent anti-malware scanner for this, for example, SpyHunter.

Should you contact [email protected]?

If you’re desperate to get your files back, you may want to contact the people behind [email protected]. If you do, don’t reveal any of your private information to them. You may want to create a brand new email address for this.

Don’t pay for decryption before trying the free options. It doesn’t even look like Somik1 is a very serious project. It’s possible that the creator is a prankster who doesn’t mean to hurt anyone and who will release the decryption keys at some point. It’s also possible that they are just trying to make a quick buck and aren’t going to bother decrypting people’s files.

Automatic Malware removal tools

How to recover Somik1 ([email protected]) encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Somik1 ([email protected]) has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Somik1 ([email protected])

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Somik1 ([email protected]). You can check other tools here.  

Step 3. Restore Somik1 ([email protected]) affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Somik1 ([email protected]) tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Somik1 ([email protected]) encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.