Cyber Security Center

How to delete TG33 ransomware


TG33 ransomware is malicious software from the Matrix ransomware family. It encrypts files, renames them to [TomGate33@criptext.com].[random characters].TG33 and drops a TG33_INFO.rtf ransom note.

 

Ransomware (3)

TG33 ransomware is file-encrypting malware that comes from the Matrix ransomware family. We have written about three other versions by the same gang before, JB88, BG85 and ANN. All versions are more or less the same, though that does not mean this ransomware is not dangerous.

When the ransomware gets into a computer, it immediately starts encrypting files. Users will not be able open any files that have been renamed to [TomGate33@criptext.com].[random characters].TG33. Unfortunately, those files will remain unopenable until they’re decrypted with a special tool. The cyber crooks behind this ransomware will try to sell the decryptor to victims, though the ransom note TG33_INFO.rtf does not mention the price. In any case, buying the decryptor, or even contacting the cyber criminals behind this ransomware is not recommended. There are no guarantees that a decryptor would be sent to users, or that it would work. Furthermore, paying only encourages cyber criminals to continue their criminal activity.

If users have backup, they can start recovering files as soon as they remove TG33 ransomware from their computers. For those who don’t have backup, waiting for a free decryptor to be released by malware researchers is an option.

Ransomware encrypts important files

When users accidentally initiate the ransomware, it begins file encryption. Like all ransomware, TG33 ransomware targets sensitive files, such as photos, videos, documents, etc. Once the files have been encrypted, an extension will appear. This ransomware renames files to [TomGate33@criptext.com].[random characters].TG33. Users will not be able to open the renamed files until they’re decrypted. However, to decrypt them, users need to use a special decryptor. Cyber criminals will explain this in the TG33_INFO.rtf ransom note. The note mentions that victims can decrypt three files for free if they don’t contain any important information, as proof that files can indeed be decrypted.

Victims have the option of purchasing the decryptor from the cyber criminals behind this ransomware, though the price is not mentioned. That, however, is not recommended, primarily because it does not guarantee file decryption. There’s really no way of knowing whether a decryptor will actually be sent to victims who pay. Furthermore, paying would make ransomware profitable for these cyber crooks, which would encourage them to continue. One of the reasons why ransomware is still such a big threat is because users do not back up their data and end up paying ransomware to get their files back.

Here’s the ransom note dropped by TG33 ransomware:

ALL YOUR VALUABLE DATA WAS ENCRYPTED!

All yоur filеs wеrе еnсrуptеd with strоng crуptо аlgоrithm АЕS-256 + RSА-2048.
Plеаsе bе surе thаt yоur filеs аrе nоt brоkеn аnd уоu cаn rеstоrе thеm tоdаy.

If yоu rеаllу wаnt tо rеstоrе yоur filеs plеаsе writе us tо thе е-mаils:
TomGate33@criptext.com
TomGate33@yahoo.com
TomGate33@tutanota.com
In subjеct linе writе уоur ID: –

Impоrtаnt! Plеаsе sеnd yоur mеssаgе tо аll оf оur 3 е-mаil аddrеssеs. This is rеаllу impоrtаnt bеcаusе оf dеlivеrу prоblеms оf sоmе mаil sеrviсеs!
Important! If you haven’t received a response from us within 24 hours, please try to use a different email service (Gmail, Yahoo, AOL, etc).
Important! Please check your SPAM folder each time you wait for our response! If you find our email in the SPAM folder please move it to your Inbox.
Important! We are always in touch and ready to help you as soon as possible!

Аttаch up tо 3 smаll еncrуptеd filеs fоr frее tеst dесryption. Plеаsе nоte thаt thе filеs yоu sеnd us shоuld nоt cоntаin аnу vаluаblе infоrmаtiоn. Wе will sеnd yоu tеst dеcrуptеd files in оur rеspоnsе fоr yоur cоnfidеnсе.
Of course you will receive all the necessary instructions hоw tо dеcrуpt yоur filеs!

Important!
Plеаsе nоte that we are professionals and just doing our job!
Please dо nоt wаstе thе timе аnd dо nоt trу to dесеive us – it will rеsult оnly priсе incrеаsе!
Wе аrе alwауs оpеnеd fоr diаlоg аnd rеаdy tо hеlp уоu.

Ransomware distribution methods

Users usually end up infecting their computers simply because they have bad browsing habits, which include opening spam email attachments, pirating via torrents and clicking on ads when on highly questionable websites.

Spam emails are one of the main ways ransomware is distributed. Malicious actors buy email addresses from hacker forums and then send emails with malicious attachments to those email addresses. All users need to do to initiate the malware is open the attached file. Fortunately for users, the majority of these malicious emails will be quite obvious, as long as users know what to look for. The first sign users should look for is a random-looking email address. In many cases, malicious emails are quite low effort, unless they are targeting someone specifically. So the email addresses from which these emails are sent will often be random-looking, despite senders claiming to be from known companies/organizations. Another obvious sign is grammar and spelling mistakes, spam emails are usually full of them. Even when everything in the email seems okay, users should still scan all unsolicited emails with anti-virus software or VirusTotal before opening them.

Users who pirate, especially via torrents, are risking infecting their computers with all kinds of malware. Torrent sites are often unregulated properly, and this allows cyber criminals to easily upload malware. It’s not uncommon for malicious actors to disguise malware as movies, TV shows, games, etc., that are popular at the time. For example, when Breaking Bad was airing, loads of episode torrents were actually malware. Users are discouraged from pirating, not only because it could be dangerous for the computer but also because it’s essentially stealing content.

TG33 ransomware removal

It’s very important that users use anti-malware software to remove TG33 ransomware. They shouldn’t try to manually delete TG33 ransomware because that may end up doing even more damage. Unfortunately, removing the ransomware does not decrypt files.

TG33 ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by Avast/AVG
  • Generic.Ransom.Matrix.D7B821CE by BitDefender
  • HEUR:Trojan-Ransom.Win32.Agent.gen by Kaspersky
  • Generic.Ransom.Matrix.D7B821CE (B) by Emsisoft
  • Ransom.Matrix by Malwarebytes
  • Ransom:Win32/Gansom.AB!MSR by Microsoft
  • ML.Attribute.HighConfidence by Symantec
  • Ransom.Win32.MATRIX.SMTH by TrendMicro