Cyber Security Center

How to delete Weui ransomware


Weui ransomware is file-encrypting malware that belongs to the notorious Djvu/STOP ransomware family. Adds .weui extension to encrypted files, which is how users can differentiate it from the other versions.

 

Weui ransom note

Djvu/STOP ransomware family is notorious for releasing new ransomware on a regular basis, such as Lisp, Sglh, Epor, Vvoa, Agho, Vpsh, and Jdyi. The newest one is Weui ransomware, named so because it adds .weui to encrypted files. This is a dangerous ransomware infection because once files are encrypted, their recovery is not guaranteed. The cyber criminals behind this ransomware will try to sell the decryptor for $980 (or $490 if contact is made within the first 72 hours) but paying the ransom is not recommended for a couple of reasons. First of all, there are no guarantees that a decryptor will actually be sent to those who pay. Second, the money users pay encourages cyber criminals to continue their malicious activity. The reality is that as long as users continue to pay the ransom, ransomware will remain a significant threat.

Backup is currently the only way users can recover files. If users have backed up files prior to them becoming encrypted, they can start file recovery as soon as they remove Weui ransomware from their computer. But users should keep in mind that if the ransomware is not fully deleted, accessing backup could lead to those files becoming encrypted as well.

Users should be aware that there is no free decryptor for Weui ransomware currently available. Malware researchers do release free decryptors when possible but because Weui ransomware uses online keys for file encryption, a free decryptor cannot be released since the keys necessary for decryption are unique to each user. There is a free decryptor for early Djvu/STOP ransomware versions but it will not work on Weui or other newer versions. It’s worth a try, however, as in rare cases, new Djvu versions use offline keys to encrypt files.

If users don’t have backup and no other way to recover files, they should back up the encrypted files and occasionally check NoMoreRansom, Emsisoft or other legitimate sources for a decryptor. However, users should be very careful about where they download decryptors from, as they could be disguised malware.

How is ransomware distributed?

Ransomware is often distributed via email attachments and torrents. Users who have bad browsing habits are usually at much higher risk of infecting their computers because they open unsolicited email attachments without first checking them and download pirated content via torrents. If users develop better browsing habits, they should be able to avoid a large amount of malware.

Spam email is often used to distribute ransomware, which is why users need to be very careful with unsolicited email attachments. Malspam is often sent to users whose email addresses have been leaked or part of a data breach, and they infect their computers with malware by opening those malicious email attachments. Fortunately for users, malspam is often pretty obvious. Emails containing malicious attachments are often sent from random email addresses, they contain loads of grammar and spelling mistakes, and put on strong pressure on users to open the attachments. Some malspam may be more sophisticated, which is why users are recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Users who pirate copyrighted content via torrents are also at increased risk of picking up malware. It’s common knowledge that torrent sites are not regulated properly, which allows cyber criminals to upload torrents with malware concealed inside them. It’s usually torrents for popular movies, TV shows and video games that contain malware. Thus, not only is pirating essentially stealing content, it’s also dangerous for the computer and user data.

Can encrypted files be recovered?

Users can notice this ransomware when a fake Windows Update window appears. It’s supposed to distract users from the fact that their files are being encrypted. Users will know when their files have been encrypted because they will have .weui added to them. For example, image.jpg would become image.jpg.weui. Users will not be able to open files with that extension until they’re first decrypted.

Once the ransomware is done encrypting files, it will drop a _readme.txt ransom note. The note explains that files have been encrypted, and the only way to recover them is to use their decryptor. That is, unfortunately, mostly true. The cyber crooks behind this ransomware demand users pay $980 in ransom. If victims contact them within the first 72 hours, they can supposedly get a 50% discount. However, whether it’s $980 or $490, paying is very risky. Like we said above, it does not guarantee that victims will receive a decryptor. At this time, only users who have backup can recover files for free.

Here is the ransom note dropped by Weui ransomware:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-YZknSAUPZD
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Weui ransomware removal

It’s highly recommended that users use anti-malware software to delete Weui ransomware from their computers. Otherwise, they could end up doing even more damage. Once the ransomware is gone, users can start file recovery via backup.

Weui ransomware is detected as:

  • Gen:Variant.Zusy.350579 (B) by Emsisoft
  • A Variant Of Win32/Kryptik.HHUP by ESET
  • HEUR:Trojan.Win32.Chapak.gen by Kaspersky
  • ML.Attribute.HighConfidence by Symantec
  • TROJ_GEN.R06CC0WKT20 by TrendMicro
  • Trojan:Win32/Glupteba by Microsoft
  • GenericRXMT-MO!FBD37048D6A9 by McAfee
  • Trojan.MalPack.GS by Malwarebytes
  • Win32:PWSX-gen [Trj] by Avast/AVG