Eknkfwovyzb ransomware removal

Eknkfwovyzb ransomware is malware that encrypts files. It adds the .eknkfwovyzb file extension and drops HOW TO RESTORE YOUR FILES.TXT ransom note.


Eknkfwovyzb ransomware ransom noteEknkfwovyzb ransomware is file-encrypting malware from the Snatch ransomware family. The ransomware encrypts important files and then demands payment for their decryption. It’s a pretty standard ransomware infection, and file recovery is not guaranteed. The ransomware gang behind this ransomware will request victims pay a ransom in order to get the decryptor but paying is not recommended.

When it comes to ransomware and paying the ransom, users should keep in mind that they are dealing with cyber criminals who will not necessarily feel obligated to help victims. They can easily take the ransom money and not send a decryptor. It has happened in the past, and users should be aware of the risks before making a payment.

Unfortunately, there currently is no way to recover files for free. The only sure way to recover files is backup. If files have been backed up prior to infection, users can easily recover them once they delete Eknkfwovyzb ransomware from their computers. If the ransomware is still present, backed up files may become encrypted as well.

Malware researchers do sometimes release decryption tools to help victims recover files for free but it’s not always possible. There currently is no free decryptor for Eknkfwovyzb ransomware. If users have no backup and do not intend to pay the ransom, they can backup encrypted files and wait for a free decryptor to become available.

But because there are many fake decryptors, users should be very careful about what they download. Malware disguised as a decryptor can be advertised on various untrustworthy websites. There are few sources that are safe to download from, such as Emsisoft or NoMoreRansom.

Ransomware distribution

Most ransomware usually use more or less the same distribution methods. They include spam emails, torrents, software cracks, and malicious ads.

Malware is often disguised as torrents and software cracks. Pirating popular content is especially dangerous because it’s often popular movies, episodes of TV series, games, etc., that are disguised malware. Torrent websites and forums are often not regulated properly, meaning cyber criminals could easily upload malware disguised as legitimate content. By the time users notice that they just initiated malware by accident, it’s already too late if there is no anti-malware software with ransomware protection installed. Users should avoid pirating content, seeing as it’s not only stealing but also potentially dangerous for the computer.

Users should also be very careful about what ads they click on when browsing, particularly when on high-risk websites. It’s best to have adblocker enabled when browsing high-risk sites as it would prevent redirects and unwanted pop-ups.

One of the more common ways users pick up ransomware is via spam email attachments. Cyber criminals buy email addresses from hacking forums, where they’re put up for sale after being leaked or breached. They then launch spam email campaigns with malicious attachments, which if opened would initiate the malware. In many cases, unless someone is targeted specifically, the email will be very obviously spam. While senders may pretend to be from known companies/organizations, their email addresses would be nonsense. Furthermore, those emails are often full of grammar and spelling mistakes. Just as a precaution, it’s a good idea to scan all unsolicited email attachments with anti-malware software or VirusTotal.

What does Eknkfwovyzb ransomware do?

When users initiate the malware, it will start file encryption. It targets files like photos, documents, videos, etc., as they usually are the most important files to users. Once the encryption process is complete, the ransomware adds the .eknkfwovyzb file extension. For example, photo.jpg would become photo.jpg.eknkfwovyzb. All files with that extension will not be openable.

A ransom note HOW TO RESTORE FILES.TXT will also be dropped. The note reassures that while files have been encrypted, users can decrypt them by emailing bcpfile17@tutanota.com or doctorhelp2120@cock.li. Supposedly, users can decrypt three files for free, provided they do not contain any valuable information.

Here is the full Eknkfwovyzb ransomware ransom message:

All your files are encrypted, write to me if you want to return your files – I can do it very quickly!
Contact me by email:
bcpfile17@tutanota.com or doctorhelp2120@cock.li

The subject line must contain an encryption extension or the name of your company!
Do not rename encrypted files, you may lose them forever.
You may be a victim of fraud. Free decryption as a guarantee.
Send us up to 3 files for free decryption.
The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.)
!!! Do not turn off or restart the NAS equipment. This will lead to data loss !!!

To contact us, we recommend that you create an email address at protonmail.com or tutanota.com
Because gmail and other public email programs can block our messages!

Contacting cyber criminals, let along paying the ransom is not recommended. Users should keep in mind that they are dealing with cyber criminals, and there is a chance that they will simply take the money without helping users decrypt files. It has happened many times in the past, and it will happen many times in the future. So paying the ransom is always risky.

Unfortunately, there currently is no free decryption tool available. The only free way to recover files is from backup.

Eknkfwovyzb ransomware removal

To remove Eknkfwovyzb ransomware fully and safely, users should use anti-malware software. Reliable anti-malware with ransomware protection would also prevent future ransomware infections so it is recommended to have one protecting the computer long-term. Users should not attempt to manually delete Eknkfwovyzb ransomware, as it could cause even more damage.

Eknkfwovyzb ransomware is detected as:

  • HEUR:Trojan-Ransom.Win32.Gen.vho by Kaspersky
  • Ransom.Snatch by Malwarebytes
  • Ransom:Win64/Snatch.A!MTB by Microsoft
  • Win64:Trojan-gen by Avast/AVG
  • Artemis!71E152EE68CA by McAfee