Recently, many companies came to me for consultation. The servers of their companies were infected with .eking suffix ransomware. After the poisoning, all files on the servers were encrypted and locked, and they could not be opened and used normally, and the file names were also tampered with. The eking suffix causes the company's business to fail to develop normally and has a greater impact. After close communication with them and file inspection, according to the results of the inspection, I provided them with corresponding solution suggestions. Some companies have successfully completed the file data recovery work according to the solution suggestions.
What is the origin of this .eking suffix ransomware virus? How is the infection spread? How to prevent and rescue after poisoning? Let us understand together.
What is the .eking suffix ransomware virus?
.eking Suffix extortion virus is a malicious file encryption virus, was 2020 Nian 5 Yue 17 was found on the surface of days. The attack started slowly, but has since affected more and more users around the world. According to the researchers, the virus was distributed through a torrent site bundled with Adobe Acrobat Crack , which is very popular and makes the virus easy to spread. Once the malicious payload is launched, the .eking suffix begins the first stage of the attack, which is to inject the malicious .exe process and gain administrative privileges on the system. The second stage is related to file encryption. In order to lock the victim's files, the criminals behind the ransomware use AES encryption and ID . [[email protected]] .eking suffix appendix.
The .eking suffix ransomware virus originates from the notorious Phobos ransomware family, which has more than 20 members, including Mamba , Phoenix and ISO ransomware. Just like its predecessors, it imitates the notorious file encryption virus of the Dharma family. It uses the same style for ransom notes and provides the same instructions verbatim. Currently, the .eking suffix virus creates a pop-up window info.hta or text file info.txt in each folder containing locked files . The file contains two emails for contacts: [email protected] and [email protected] . However, it is neither recommended to contact the offender nor pay the ransom.
| name |
.eking suffix |
| Family |
The virus belongs to the Phobos ransomware virus family |
| classification |
Ransomware / File Encryption Virus |
| Encryption |
According to the history of the Phobos family, it is believed that the .eking suffix is using the AES password to encrypt files on the infected machine |
| File extension |
Ransomware uses the .eking suffix to lock files. Include not limited to the following suffix versions [[email protected]] .eking suffix " , " . [[email protected]] .eking suffix " , " . [[email protected]] .eking suffix " , " . [[email protected]] .eking suffix " , " . [[email protected]] .eking suffix " , " . [[email protected]] .eking suffix " , " . [[email protected]] .eking suffix " , " .[[email protected]] .eking suffix " , " . [[email protected]] . Wicking "" [[email protected]] .eking suffix " , " [[email protected]] .eking suffix " , " [[email protected]] .eking suffix " , " . [ICQ @ fartwetsquirrel] . Wicking "" . [[email protected]] . .eking suffix " , "[[email protected]] .eking suffix " , "[[email protected]] .eking suffix " ,"[[email protected]] .eking suffix " , "[[email protected]] .eking suffix " , "[[email protected]] .eking suffix " , "[moon4x4 @ tutanota.com] .eking suffix " , " [[email protected]] .eking suffix " and " . [[email protected]] .eking suffix |
| Propagation mode |
Currently, the virus is most actively spread through the Torrent website bundled with Adobe Acrobat Crack . However, ransomware managers can also use open RDP or spread payloads through malicious spam email attachments |
| eliminate |
The only possibility to remove the ransomware virus from the system is to use a professional AV engine for a thorough scan |
| File decryption |
Unfortunately, there is no official .eking suffix decryptor. |
The .eking file extension virus has been detected as the latest variant of the Phobos ransomware virus family. According to the person who asked me for help, he downloaded some software, which is a special cracking tool for Adobe Acrobat . After a while, the file (such as photos, videos, documents, etc.) was locked.
Unfortunately, there is currently no other tool that can decrypt files encrypted by the .eking suffix ransomware virus. In other words, only developers with the .eking suffix have the correct decryption tool. Although, the problem with most ransomware developers is that even after payment, they often do not send decryption tools and/or keys. Simply put, victims who trust cybercriminals and pay them ransom are often deceived.
How does the .eking ransomware virus infect my computer?
The most common methods used by cybercriminals to spread ransomware and other malicious software are through spam campaigns, fake software update programs, unreliable download channels, unofficial software activation tools and Trojan horses. When they use spam campaigns, they send emails containing malicious attachments or websites, as well as links designed to download malicious files. Either way, its main purpose is to trick the recipient into opening (executing) malicious files designed to install malicious software. In most cases, malicious files attached to emails include Microsoft Office documents, archive files (such as ZIP , RAR ), PDF documents, JavaScript files, and executable files (such as .exe ). Another popular method of spreading malware is through fake software update programs. Generally, unofficial third-party update tools will not update and repair any installed software. They just use vulnerabilities, flaws in some outdated software to install malware or infect the system. In addition, unreliable software download channels can also be used to distribute malware. Users who often download files through peer-to-peer networks (such as torrent clients, eMule , various free file hosting, free software download sites and other similar channels) download malicious files. These files are infected with malware when executed. It is worth mentioning that such files are often disguised as legitimate and regular files. Software " crack "Tools are programs that users use when seeking to activate paid software for free. However, they did not activate it, but allowed those tools to install ransomware-type malware and other malicious software. Trojan horse programs, if installed, are designed to spread various malicious software. In short, if this type of malicious program has been installed, it is likely to cause other damage.
How to protect yourself from the .eking suffix ransomware virus?
Links and attachments in irrelevant emails should not be opened, especially if they were received from unknown suspicious addresses. Before opening its content, you should always analyze such emails carefully. The software can only be downloaded from the official website or through a direct link. The sources of unofficial pages, third-party downloaders (and installers) and other channels mentioned above are not credible. In addition, it is important to update and activate the software correctly. To be more precise, this operation should be done using the designed function (or tool) provided by the official software developer. All other tools are usually used to distribute malicious software. In addition, it is illegal to use unofficial third-party tools to activate licensed software. Finally, the computer should be scanned regularly with reputable antivirus or antispyware software, which should always be up to date.
It is . How to restore the Phobos ransomware file with eking suffix ?
This type of ransomware belongs to: Phobos family , currently does not support decryption .
1. If the files are not in urgent need, you can back them up and wait for the hacker to be caught or conscientiously discovered, and then release the decryption tool
2. If the file is urgently needed, you can add a service number ( shujuxf ) to send file samples for free consultation on data recovery solutions, or seek other third-party decryption services.
Prevention of ransomware - daily protection suggestions:
Prevention is far more important than rescue, so in order to avoid such incidents, it is strongly recommended that you take the following protective measures daily:
1 . Do not use the same account and password for multiple machines, so as to avoid the tragic situation of " one machine falls and the whole network is paralyzed " ;
2 . The login password should be of sufficient length and complexity, and the login password should be changed regularly;
3 . Strictly control the permissions of shared folders, and use cloud collaboration as much as possible where data needs to be shared.
4 . Patch system vulnerabilities in time, and don't ignore security patches for various common services.
5 . Close non-essential services and ports such as 135 , 139 , 445 , 3389 and other high-risk ports.
6 . Backup backup backup! ! ! Important information must be isolated and backed up regularly. Perform RAID backup, multi-machine remote backup, and hybrid cloud backup. For confidential or important files, it is recommended to choose multiple methods to backup;
7 . Improve security awareness, do not click on unfamiliar links, email attachments from unknown sources, and files sent by strangers through instant messaging software. Perform a security scan before clicking or running, and try to download and install software from safe and trusted channels;
8 . Install professional security software and ensure that the security monitoring is turned on and running normally, and update the security software in time.