Team OS : Your Only Destination To Custom OS !!

Welcome to TeamOS Community, Register or Login to the Community to Download Torrents, Get Access to Shoutbox, Post Replies, Use Search Engine and many more features. Register Today!

Tech News Eking Ransomware - New Deadly Ransomware 2020

PxQAb5.jpg


Eking ransomware is a malicious file-encrypting virus that has been discovered on the surface on May 17th, 2020. According to the researchers, the virus is being distributed via torrenting websites bundled with Adobe Acrobat Medicines. Once the malicious payload is launched, the Eking starts the first phase of the attack, i.e. injects malicious .exe processes and gains administrative privileges over the system. The second phase is related to file encryption. For locking up victim's files, criminals behind this ransomware uses AES encryption and id.[[email protected]].eking appendix.

Eking ransomware virus genealogically stems from the infamous Phobos ransomware family, which has over 20 members, including Mamba, Phoenix, and ISO ransomware. Just like the predecessors, it mimics the notorious file-encrypting viruses from the Dharma family. It uses an identical style for a ransom note and provides word-to-word the same instructions on it. At the moment, the Eking virus creates a pop-up window info.hta or a text file info.txt in every folder that contains locked files. The file contains two emails for contacts: [email protected] and [email protected]. However, neither contacting criminals nor paying the ransom is recommended.

The .eking file extension virus has been detected as the latest Phobos variant. The user who is considered to be the first victim of this ransomware reported that he's downloaded some software, a Medicines for Adobe Acrobat specifically, and soon after that files, such as photos, videos, documents, etc. got locked with the id. [decphob @ tuta.io].eking affix manifests on of their titles.

Eking deletes shadow copies of files, disables the recovery and repair functions of Windows, at the boot stage, disables the firewall with commands, launches the mshta.exe application to display ransomware requirements:
vssadmin.exe vssadmin delete shadows /all /quiet
WMIC.exe wmic shadowcopy delete
bcdedit.exe bcdedit /set default recoveryenabled no
bcdedit.exe bcdedit /set default bootstatuspolicy ignoreallfailures
netsh.exe netsh advfirewall set currentprofile state off
netsh.exe netsh firewall set opmode mode=disable
mshta.exe "%USERPROFILE%\Desktop\info.hta"
mshta.exe "%PUBLIC%\desktop\info.hta"
mshta.exe "C:\info.hta"
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\exec.exe
The Eking ransomware virus also displays a ransom note, which, as we have already pointed out able, is similar to the one displayed by Dharma. Victims may see a pop-up info.hta, which states the fact of an attack, provides contact information, ID number, and instructions on how to purchase Bitcoins. In addition, it may generate an info.txt file in every folder that contains encrypted data. The Eking ransom note contains the following information:
Your PC has been infected by a ransomware. If you want to restore them, contact the following address below.
E – Mail contact – decphob @ tuta.io / decphob @ protonmail.com
If there is no answer in 24 hours. Try to contact us via Sonar.
Download TOR browser
hxxps://www.torproject.org/download/
While using your TOR browser copy and paste the URL below:
hxxp://kcxb2moqaw76xrhv.onion/
Register an account and message us in our ID : decphob
If the TOR link is not working go to hxxps://onion.live
NEVER RENAME ENCRYPTED FILES THIS MAY CAUSE DAMAGE TO YOUR FILES PERMANENTLY
Below is the screenshot depicting the ransomware note:
PxQK9m.jpg
The size of the redemption is not clear, though it may vary from $300 to $5000 in Bitcoins. However, paying the ransom is not recommended due to identity theft and other harm that hackers can cause. Instead, render the most powerful AV tool and remove Eking ransomware from your PC. Based on the VirusTotal information, 47 AV engines out of 72 detect ransomware files a malicious. These are examples of AV detections:

  • Trojan.GenericKD.33855769
  • Malware@#jur7x0zvg9ce
  • A Variant Of MSIL/Kryptik.VYW
  • HEUR:Trojan-PSW.MSIL.Agensla.gen
  • ML.Attribute.HighConfidence
  • Win32:pWSX-gen [Trj]
  • Gen:NN.ZemsilF.34110.vm0@aOGvnLi
  • Trojan.GenericKD.33855769 (B), etc.
Eking ransomware is extremely dangerous not only because of the aggressive compromisation of personal files. Before running the cipher, the virus includes a malicious module into the Windows Task Manager and injects intrusive entries into the Windows Registry. Moreover, it alters the Windows boot sequence and provides itself administrative privileges. This way, criminals weaken the system's security, diminishes its performance, and can misuse the breach as a backdoor for other malicious viruses (trojan, RAT, or spyware).

Moreover, the Eking virus might initiate alterations on the security system, thus preventing AV programs from detecting it. In this case, the removal of the virus requires rebooting the system into Safe Mode with Networking or enabling System Restore. While in Safe Mode, use reliable antivirus software, for instance, Malwarebytes or SpyHunter 5 to scan the machine and delete all malicious entries.

Once you remove Eking ransomware from the system, investigate all the methods that could be applied for data encryption. If you have backups, then a ransomware attack is not a big deal for you. If unfortunately, there are no backups, you can try third-party data recovery software or contact the ransomware researchers and ask them for help because there's no free Eking decryptor developed, at least not yet.

PxQzUD.jpg


PxQU4J.jpg


PxQ2Gg.jpg


PxQ7L8.jpg

Eking ransomware removal methods
Eking ransomware should be removed from the system as soon as you notice suchlike extension appended to your files. Don't forget that ransomware viruses are often supplemented with multiple payloads, so the longer it stays on the system, the more risk arises to get a trojan or spyware infection in the background.

Besides, it's important to remove Eking virus before any attempts to recover locked files. Otherwise, the ransomware may strike again and re-encrypt the data. Elimination of this virus requires purchasing a full package of a really professional anti-virus program. We recommend using these tools: SpyHunter 5 or Malwarebytes.

Also, upon Eking removal scan the system with Reimage to restore its technical side to the state prior to the attack. Only after that take action to retrieve data that the virus encrypted.
 

pinkfloyder

pinkfloyder
✅ Verified Member
Member
Downloaded
370.8 GB
Uploaded
1.1 TB
Ratio
2.98
Seedbonus
1,574
Upload Count
0 (0)
Member for 10 years
Cool info, thanks a lot!!
 

SlavkoPejic

Power User
✅ Verified Member
Member
Downloaded
200.5 GB
Uploaded
80.1 TB
Ratio
408.89
Seedbonus
332,925
Upload Count
0 (0)
Member for 5 years
Thanks
 

CoffinDeath

Uploader
✅ Verified Member
Member
Downloaded
470.2 GB
Uploaded
3.2 TB
Ratio
7
Seedbonus
90,715
Upload Count
11 (13)
Member for 10 years
Thanks alot.
 

l33tskiilz

Member
Banned
Downloaded
22.5 GB
Uploaded
6.1 GB
Ratio
0.27
Seedbonus
24
Upload Count
0 (0)
Member for 4 years
And this will become a past also :)
Thanks for the info.
 

WhiteLocks

eXPerience
Power User
✅ Verified Member
Member
Downloaded
774.5 GB
Uploaded
7.8 TB
Ratio
10.32
Seedbonus
7
Upload Count
0 (0)
Member for 5 years
Nice info, i'll see if i can get a sample of this for testing purposes. :giggle:
 

amir_tariq

Software Uploader
Uploader
Member
Downloaded
9.5 GB
Uploaded
100.6 GB
Ratio
10.64
Seedbonus
6,681
Upload Count
9 (8)
Member for 5 years
Nice info, i'll see if i can get a sample of this for testing purposes. :giggle:
Well you can get this ransomware by downloading latest version of Medicines/Medicines/Medicines for Adobe Acrobat Pro from torrent sites like The Pirate Bay or some other similar websites..
 
Last edited:

S.k.Ahmed

Member
Downloaded
7.6 GB
Uploaded
5 GB
Ratio
0.66
Seedbonus
0
Upload Count
0 (0)
Member for 5 years
assom
 

Krshyamsb

Member
Downloaded
15.4 GB
Uploaded
5.5 GB
Ratio
0.35
Seedbonus
74
Upload Count
0 (0)
Member for 7 years
HOW TO DECRYPT FILES WHEN ITS INFECTED
 

amir_tariq

Software Uploader
Uploader
Member
Downloaded
9.5 GB
Uploaded
100.6 GB
Ratio
10.64
Seedbonus
6,681
Upload Count
9 (8)
Member for 5 years
HOW TO DECRYPT FILES WHEN ITS INFECTED
You can read methods under "Eking ransomware removal methods "
 

hamabe

: It's that time again : 。゚・ (>﹏<) ・゚。
Power User
✅ Verified Member
Member
Downloaded
435.9 GB
Uploaded
37.6 TB
Ratio
88.22
Seedbonus
2,647,299
Upload Count
0 (0)
Member for 5 years
@Krshyamsb
As stated in the guide
Address the infection first before you decrypt the files

As for decryption,
try google for .eking ransomware decryption
 

Krshyamsb

Member
Downloaded
15.4 GB
Uploaded
5.5 GB
Ratio
0.35
Seedbonus
74
Upload Count
0 (0)
Member for 7 years
If my files encrypted with .covm ransomware. the How to decrypt my files
 

lilitheseeder

Member
Downloaded
280.9 GB
Uploaded
3.7 TB
Ratio
13.43
Seedbonus
315,618
Upload Count
0 (0)
Member for 5 years
If my files encrypted with .covm ransomware. the How to decrypt my files
Try nomoreransom, just google it.
 

lilitheseeder

Member
Downloaded
280.9 GB
Uploaded
3.7 TB
Ratio
13.43
Seedbonus
315,618
Upload Count
0 (0)
Member for 5 years
@Krshyamsb
As stated in the guide
Address the infection first before you decrypt the files

As for decryption,
try google for .eking ransomware decryption
A good fix is nomoreransom dot com. They have guides for almost every ransomware out there :)
 
Top