Cyber Security Center

How to remove Eking ransomware


Eking ransomware, from the Phobos malware family, is file-encrypting malware that will encrypt and rename files. Encrypted files will have an extension consisting of the victim’s ID and [decphob@tuta.io].eking. The ransomware will demand that victims pay a certain sum of money, though it’s not specified in the info.txt/info.hta ransom notes.

 

Screenshot (59)

Eking ransomware comes from the notorious Phobos ransomware, which currently is undecryptable without paying the ransom. Eking ransomware is distinguishable by the file extension ending in .eking added to encrypted files. Users will not be able to open files with this extension as they have been encrypted. A ransom note dropped after files are done being encrypted will explain that in order to get a decryptor, it’s necessary to contact the gang behind this ransomware. Essentially, victims of this ransomware would be asked to pay for a decryptor.

Paying is never recommended when it comes to ransomware because it does not guarantee file decryption. It’s possible that the cyber crooks behind this ransomware will not send a decryptor, or they may send a broken one. Either way, victims would end up losing their money.

Unfortunately, there currently is no way decrypt files for free. The only sure way is to use backup. If users backed up files prior to encryption, they can start recovery as soon as they delete Eking ransomware.

Ransomware spread methods

Most ransomware spread via methods like spam email, torrents, software cracks, malicious ads, etc. It’s not just ransomware that is distributed via these methods, it’s all kinds of malware. And developing good browsing habits often helps users avoid getting infected with malware.

Spam email remains one of the most popular methods to distributed ransomware, as it’s relatively low-effort. Email addresses of thousands of users are sold on hacking forums, where they ended up on because some service was breached by an attack, or because users fell for a scam. Those email addresses are used to launch spam email campaigns which spread malware. Fortunately, for whatever reason, the emails are full of grammar and spelling mistakes, are sent from nonsense email addresses, and just generally do not look convincing. As long as users pay attention when opening emails, spam should be quite noticeable. Just as a precaution, it’s a good idea to scan email attachments with anti-malware software or VirusTotal.

It’s also possible to pick up ransomware when downloading torrents and software cracks. Malware is often disguised as pirated content (movies, games, TV series, etc.), and when users download it, they may unknowingly initiate malware.

What does Eking ransomware do?

The ransomware will immediately start encrypting certain file types, such as .jpg, .doc, .txt, etc. Essentially, all files that would be important for users would be encrypted. Files would get an extension added to them, which would include victims’ unique ID and [decphob@tuta.io].eking. As an example, image.jpg would get renamed to image.jpg.victim’s ID.[decphob@tuta.io].eking. Files with this extension would not be openable.

Once the encryption process is completed, a ransom note info.txt would be dropped. A pop-up ransom note info.hta would also be displayed. The ransom note is pretty standard for ransomware from the Phobos malware family. It explains that the computer has been infected and files encrypted, and it’s necessary to send an email to decphob@tuta.io or decphob@protonmail.com with the victim’s unique ID. The note does not specify how much the ransom would be, though it’s likely to range from $100 to $1000. It’s also mentioned that victims can recover five files for free if they don’t contain important information.

Here is the Eking ransomware info.txt note:

Your PC has been infected by a ransomware. If you want to restore them, contact the following address below.

E – Mail contact – decphob@tuta.io / decphob@protonmail.com

If there is no answer in 24 hours. Try to contact us via Sonar.

Download TOR browser

hxxps://www.torproject.org/download/

While using your TOR browser copy and paste the URL below:

hxxp://kcxb2moqaw76xrhv.onion/

Register an account and message us in our ID : decphob

If the TOR link is not working go to hxxps://onion.live

NEVER RENAME ENCRYPTED FILES THIS MAY CAUSE DAMAGE TO YOUR FILES PERMANENTLY

However, while paying might seem like the best option for many users, it’s not recommended. Many times in the past have ransomware operators sent a faulty decryptor, or did not send on at all. It’s not uncommon for this to happen, as cyber criminals have no obligations to keep their end of the agreement. Thus, paying the ransom is often discouraged.

Unfortunately, there is no free way to decrypt files at this moment. While it’s possible that malware researchers will be able to release a free decryption tool, it is not currently possible. Users should be careful of suspicious people/companies claiming to be able to decrypt files for a smaller fee, as that is not possible without paying the full ransom. Users should only trust legitimate malware researchers, as well as services like NoMoreRansom and Emsisoft to provide safe decryptors.

For users who have backup, recovering files should not be a problem. This just goes to show how important it is that users regularly back up their files. There are multiple types of backup to choose from, so users should be able to find the most convenient method for them.

Eking ransomware removal

It is very strongly recommended to use reliable anti-malware software to remove Eking ransomware from the computer. Because ransomware is quite a complex infection, manual Eking ransomware removal is not a good idea. It should, unfortunately, be mentioned that removing the ransomware does not decrypt files. This can only be done with a special decryptor.

For users who have backup, it can be accessed as soon as the ransomware is no longer present.

Eking ransomware is detected as:

  • A Variant Of Generik.HVQUOJU by ESET
  • Trojan.MalPack.Enigma by Malwarebytes
  • Trojan.Win32.DelShad.eui by Kaspersky
  • Trojan:Win32/Ymacco.AA53 by Microsoft
  • Trojan.Gen.MBT by Symantec
  • TROJ_GEN.R002C0RI420 by TrendMicro