Cyber Security Center

Delete Elvis ransomware


Elvis ransomware is file-encrypting malware that belongs to the Dharma ransomware family. Can be differentiated from other versions by the .Elvis extension added to encrypted files. Shows a pop-up ransom note, as well as drops a FILES ENCRYPTED.txt one.

 

Elvis ransom note

 

Elvis ransomware is part of the notorious Dharma ransomware family. We have already reported on other ransomware from this family, including Kut, bH4T, 259 and LCK. All versions are more or less the same, and can be differentiated by the extension added to encrypted files. This one adds [ElvisDark@aol.com].Elvis. Users will not be able to open files with that extension, unless they are first decrypted.

The whole purpose of ransomware is to essentially force victims into paying for decryptors. This ransomware does not mention how much it costs in the ransom note, though it will likely be somewhere between $100 and $1000 as that is usually how much the decryptors costs. Whatever the price may be, paying the ransom is not recommended. We always say that there are no guarantees that a decryptor will be sent, so it is always risky. Even when users are sent decryptors, they don’t always work. It’s not just that, it’s also the fact that users paying the ransom makes ransomware a profitable business for cyber criminals, which encourages them to continue. If users started backing up files and had a good plan for situations like this, ransomware would not be such a huge issue.

Victims should also be aware that malware researchers do release free decryptors to help users recover files without paying the ransom. However, this is not always possible. Nonetheless, users who do not have backup should back up encrypted files and wait for NoMoreRansom, Emsisoft, ant-virus vendors or malware researchers to release a free decryptor.

File recovery should not be an issue for users who have backup. All they need to do first is delete Elvis ransomware. Once the ransomware is gone, users can access their backup to recover files.

How does ransomware spread?

If users want to avoid infecting their computers with malware, they need to develop good browsing habits. The most common ways users pick up ransomware is by opening malicious email attachments and downloading pirated content via torrents.

It’s not uncommon for cyber criminals to use spam emails to spread their malware, and they obtain email addresses to send the spam to from hacker forums. The email addresses usually end up there after they’re leaked, or were part of a data breach. If users pay attention to what emails they open, they should be able to spot a potentially malicious one. The spam emails are usually sent from random-looking email addresses, contain many grammar/spelling mistakes, and claim that opening the email attachment is necessary because it’s an important file. And all unsolicited email attachments should be scanned with anti-virus software or VirusTotal before they’re opened.

Users who wish to avoid infecting their computers with serious malware should stop pirating content. Torrent sites are often loaded with malware because they’re not regulated properly. It’s not uncommon for torrents for popular movies, TV shows, games, etc., to contain malware. So pirating via torrents is not only stealing but also dangerous for the computer.

What does Elvis ransomware do?

The ransomware will encrypt all files that are likely important to users, including videos, photos, and documents. This ensures that users will feel pressure to pay the ransom to get the decryptor. Users will be able to tell which files have been encrypted by the [ElvisDark@aol.com].Elvis extension added to encrypted files. The extension will also contain users’ unique IDs, so a file named image.jpg would become image.jpg.unique ID.[ElvisDark@aol.com].Elvis. As users likely already noticed, those files will be unopenable.

Once the encryption process is complete, users will see a pop-up ransom note, as well as FILES ENCRYPTED.txt. Both notes contain little information, only that sending an email to elvisdark@aol.com is necessary in order to obtain the decryptor. However, contacting these cyber crooks or paying the ransom is not recommended because a decryptor won’t necessarily be sent. Countless users have paid in the past but did not receive anything in exchange. This means backup is currently the only reliable way to recover files.

Here is the text from the pop-up ransom note showed by this ransomware:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email ElvisDark@aol.com YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:help447@tuta.io
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Elvis ransomware removal

Anti-malware software is necessary to remove Elvis ransomware. Manual Elvis ransomware removal could do more harm than good. Once the ranosmware is no longer on the computer, backups can be accessed for file recovery.

Elvis ransomware is detected as:

  • Trojan.Ransom.Crysis.E by BitDefender
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom-Dharma!23A9656994B2 by McAfee
  • Ransom.Crysis by Malwarebytes