Geneve ransomware is a recently released file-encrypting malware. It appears that the ransomware adds a random file extension to encrypted files (one example is .fezmm), and drops a DECRYPT.html ransom note.
Geneve ransomware is malware that will encrypt your files, which makes it one of the more dangerous infections out there. This ransomware may be difficult for users to identify because it seems to add a random extension to encrypted files. But this ransomware drops a DECRYPT.html ransom note and gives firstname.lastname@example.org and email@example.com as the contact addresses, so there are clues to point users in the right direction.
Unfortunately, once files have been encrypted, users will not be able to open them until they are decrypted with a special decryptor. The malicious party operating this ransomware will try to sell victims the decryption tool for $400 and later for $800, but buying it is not recommended. There is nothing to ensure that you would actually get the decryptor, no matter what the cyber criminals may be saying. But without that decryptor, there currently is no way to decrypt files. It is possible that a free decryptor will be released by malware researchers in the future, but one is not yet available. We should also note that malware disguised as decryptors is not uncommon so users should be very careful about where they download decryptors from. Only legitimate sources, such as NoMoreRansom, Emsisoft, other anti-virus vendors and malware researchers should be trusted to provide safe and legitimate decryptors.
Currently, the only users who can recover files for free are those who backed up files prior to infecting their computers with ransomware. If they have backup, all users need to do is remove Geneve ransomware and they can then access backup to recover files. If the ransomware is still present when backup is accessed, those files may become encrypted as well.
What does Geneve ransomware do?
As soon as the ransomware enters a computer, it will start encrypting files. The majority of users’ files will be encrypted, including all photos, videos, and documents. All affected files will have an extension added to them, though the extensions seem to be different every time. Encrypted files will look like this: filename.file extension.ransomware added extension. For example, image.jpg -> image.jpg.fezmm. Users will not be able to open the files with a ransomware extension without first decrypting them. Once files have been encrypted, users will find a DECRYPT.html ransom note in all folders containing encrypted files. The note will explain that recovering files involves paying the ransom. The initial price for the decryptor is $400 but the price goes up to $800 after a certain time. The ransom needs to be paid in Bitcoins. Before making the payment, the ransom note demands that victims send an email with their assigned ID to either firstname.lastname@example.org or email@example.com.
Despite what the note may say, paying the ransom, or even contacting these cyber crooks is not recommended. There really are no guarantees that victims would be sent a decryptor, considering these are cyber criminals users are dealing with. Many users in the past were left with encrypted files and lost money because the crooks were unable to decrypt files or simply did not care to help.
Here is text from the ransom note dropped by Geneve ransomware :
Your files are encrypted
How to decrypt your files?
You need to buy a decryptor. Decryptor – is a software which we create for each client separately, it contains unique private key to recover client’s files.
This is a business for us and we work honestly. If we do not do our work and liabilities – no one will cooperate with us.
Current price: $400 ≈ 0.03466305 BTC
Next price: $800 ≈ 0.07458021 BTC
How to buy decryptor?
Send us an email to: firstname.lastname@example.org or email@example.com
In subject line of your message write your personal ID: –
Create a Bitcoin Wallet (we recommend blockchain.com)
Buy the necessary amount of Bitcoins. Current amount for buying is
Send amount to the address that you receive when write to us
Download decryptor from the email message
* We guarantee that you can decrypt all your files quickly and safely.
Why should I pay?
Why should I pay if there are free decryptors in the internet? So, we have an answer. There are some programs which storage private key on the client machine and it gives a chance for antivirus companies to find it and recover files. We don’t work in this way. Private key storage on our servers and have never been on your machine.
Maybe in-build functionality of Windows “shadow copies” can help you? They could, but we deleted them all.
What about file restore programs? We have cared about it also. There is a cipher utility which populate each sector of your HDD with zero, then with one and then again with zero. It kills chances to restore files from HDD sectors.
What if hack encryption algorithm? We use (AES256 with RSA-2048) algorithm it makes not possible decryption without private key (even NSA can’t hack it).
It means there is no chance to restore your files without our software. If you try, you can lose your files and we will not be able to help you.
To verify the possibility of the recovery of your files we can decrypt one image file for free.
You can send it by email, the size of image should be less then 5mb.
Unfortunately, there currently is no free decryptor, though one might be released sometime in the future. Victims are recommended to back up the encrypted files and store them somewhere safe until a free decryptor becomes available.
How does ransomware spread?
Ransomware in most cases enters a computer because of users’ bad browsing habits. The bad habits include opening random email attachments without double checking, downloading torrents, clicking on ads when on high-risk websites, etc.
Using torrents to download pirated content, or pirating in general is very risky and can often result in a serious malware infection. Torrent sites and forums are not strictly regulated, which cyber criminals can use to spread malware. They can easily disguise their malware as content that’s popular at that time, and upload it on torrent sites.
But perhaps the most common way users infect their computers with ransomware is by opening spam email attachments. Though in many cases, the emails carrying malware are quite obvious. They will be full of grammar and spelling mistakes, will be sent from email address that look completely random, and claim that users need to urgently open the attached file as it supposedly contains important information. Generally, when dealing with unsolicited emails that come with attachments, the files should always be scanned with anti-virus software or VirusTotal before they are opened.
Geneve ransomware removal
Because it is a complex infection, users should only use anti-virus to delete Geneve ransomware. Manual Geneve ransomware removal could cause even more damage, so it’s not recommended. And once users remove Geneve ransomware, they can start file recovery via backup. Unfortunately, removing the ransomware does nothing to decrypt files, the decryptor is necessary for that.