Cyber Security Center

CURATOR ransomware removal


CURATOR ransomware is malware that encrypts files. It adds .CURATOR to encrypted files, and drops a !=HOW_TO_DECRYPT_FILES=!.txt ransom note.

 

Screenshot (24)

Detected by malware researcher Michael Gillespie, CURATOR ransomware is file-encrypting malware. It targets users’ personal files, such as photos, videos, and documents to essentially blackmail users into paying money in order to recover them. CURATOR ransomware does not appear to be part of some larger ransomware family, though it’s still dangerous. Once files are encrypted, users will not be able to open them until they decrypt them using the special decryptor, which the cyber crooks behind the ransomware will try to sell to victims. Without that decryptor, file decryption is currently impossible.

Despite the fact that it’s currently impossible to decrypt files without that decryptor, paying for it is not recommended. When it comes to ransomware and the cyber crooks behind them, there is no way of knowing whether they will keep their end of the deal. This is especially the case with unknown ransomware like CURATOR, as their track record is not known. It’s not uncommon for victims of ransomware to not receive the decryptor they paid for, as cyber crooks do not send it, for whatever reason. Furthermore, users paying the ransom encourages these cyber crooks to continue.

The only users who can recover files for free are those who have backup of their files. Backing up important files is essential nowadays, with ransomware being more common than ever. And those who do have it, they can access it as soon as they remove CURATOR ransomware. If users access the backup while the ransomware is still present, those files may become encrypted as well.

We should mention that malware researchers do occasionally release free decryptors to help users recover files for free. However, it’s not always possible to develop one. But if one was to be developed, it would be available on NoMoreRansom. But users should be careful of fake decryptors promoted on various questionable forums, as they may actually be malware.

Is it possible to decrypt CURATOR ransomware files?

When users initiate the ransomware, it will start file encryption. As we said above, it mainly targets files that users would be most willing to pay for. That includes photo, videos, and documents. Users will be able to tell which files have been encrypted by the added .CURATOR extension. Users will be unable to open those files until they’re decrypted with the special decryptor, which will be offered to users via the !=HOW_TO_DECRYPT_FILES=!.txt ransom note.

The ransom note does not mention how much the decryptor costs, only that users need to send an email to the provided email addresses. They also promise to decrypt up to three files for free.

Whatever the price for the decryptor is, paying it is very risky. There really is no way of knowing whether the decryptor will be sent to users, or if it will actually work. Many users have been tricked in the past, so we feel it’s necessary to warn them.

Here is the ransom note dropped by this ransomware:

Hello!
All your important data has been encrypted. !
Your files are safe! Only modified(ChaCha+AES)
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server.

HOW TO RECOVER FILES???

Please write us to the e-mail:
assistantkeys@rape.lol
If you will get no answer within 24 hours contact us by our alternate emails:
mending8888@airmail.cc
To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.
Attach 1-3 file to the letter (no more than 5Mb). Indicate your personal ID on the letter:

* No software available on internet can help you. We are the only ones able to solve your problem.
* Make contact as soon as possible. Your private key (decryption key) is onlystored temporarily.
* Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.

CURATOR ransomware distribution

It’s usually users who have bad browsing habits that end up infecting their computers with ransomware. Simply by developing better browsing habits, users would be able to avoid a lot of malware. Those better habits include not opening unsolicited email attachments without first checking them, not pirating via torrents, and not clicking on ads while on high-risk websites.

By opening malicious email attachments users often end up infecting their computers with all kinds of malware. As long as users pay attention to what they open, they should be able to avoid malware. Users should look out for grammar and spelling mistakes in the text, random-looking sender’s email addresses, and strong pressure to open the email attachment. We recommend always scanning unsolicited email attachments with anti-virus software or VirusTotal.

Users who use torrents to pirate content are also at high risk of picking up some kind of infection. Users are discouraged from pirating because it’s essentially stealing but also because torrent sites are full of malware. It’s not difficult for malware distributors to disguise their malware as some kind of popular movie, TV show, game, etc.

How to delete CURATOR ransomware

In order to fully and safely remove CURATOR ransomware from their computer, users will need to use anti-malware software. It’s detected by the majority of security programs so users should have no issues. Unfortunately, CURATOR ransomware removal does not decrypt files.

CURATOR ransomware is detected as:

  • Generic.Ransom.LockCrypt.3.698385D5 by BitDefender
  • A Variant Of Win64/Filecoder.Y by ESET
  • HEUR:Trojan-Ransom.Win32.Generic by Kaspersky
  • Ransom.Gibberish by Malwarebytes
  • RDN/Ransom by McAfee
  • Trojan:Win32/Ymacco.AAB2 by Microsoft
  • Trojan.Win64.CRYPTLOCK.USMANJR20 by TrendMicro
  • Trojan.Gen.MBT by Symantec