Cyber Security Center

How to remove Iiss ransomware


Iiss ransomware is file-encrypting malware that belongs to the Djvu/STOP ransomware family. Once initiated, starts file encryption, adds the .iiss file extension and drop the standard _readme.txt ransom note.

 

Iiss ransom note

Detected by malware researchers Michael Gillespie, Iiss ransomware belongs to the notorious Djvu/STOP ransomware family, which has already released more than two hundred ransomware versions. The versions are more or less the same, and this one can be identified by the .iiss extension added to encrypted files. Once files are encrypted, users will not be able to open them, unless they are first decrypted. However, currently the only decryptor is in the hands of the cyber criminals behind this ransomware. They will offer to sell it to victims, but engaging with them is not a good idea.

The _readme.txt ransom note offers victims to buy the decryptor for $980 (or $490 if contact is made within the first 72 hours). However, there is always a risk that the cyber crooks will simply take the money and not send a decryptor. It’s not uncommon for this to happen, as there is nothing stopping cyber crooks from simply taking the money. This, unfortunately, means that currently, the only certain way to recover files is backup.

For users who have backup, file recovery should not be a problem. All users need to do is delete Iiss ransomware from the computer, and they can then access backup to retrieve the files. Users should bear in mind that if ransomware sill remains when users connect to backup, backed up files may become encrypted as well.

We should also mention that there are many fake Djvu decryptors so users should be very careful to not further infect their computers with something. Emsisoft has released a legitimate free Djvu decryption tool but it only works for older versions, which use offline keys to encrypt files. New versions use online keys, which means a decryptor cannot be released for free until the keys are released by either the cyber crooks themselves or law enforcement if they ever identify the Djvu gang. However, all hope is not lost, and there is a possibility this could happen eventually. Thus, users who have no options should back up the encrypted files and wait for a decryptor.

How does Iiss ransomware enter a computer?

Ransomware and other malware usually infects computers of users who are not careful enough to avoid it. Ransomware can come attached to an email, as well as be included in a torrent. Users could also be tricked into downloading it when browsing high-risk websites.

Spam emails are one of the main ways users pick up ransomware. Malicious actors send emails with ransomware attached to users whose email addresses they purchase from hacker forums, where they ended up on after being leaked by some service. Users open those attachments, enable macros, and that initiates the ransomware. Fortunately, users can easily avoid the majority of ransomware by carefully checking emails they get before opening attachments. Common signs of a malicious email include grammar and spelling mistakes, pressure to open the email attachment, and a random-looking sender’s email address. Users should always carefully inspect all unsolicited emails with attachments for anything suspicious. Even when everything seems legitimate, all unsolicited email attachments should be scanned with anti-malware software or VirusTotal before they’re opened.

Pirating entertainment content via torrents is also a common way users pick up ransomware. It’s no secret that torrent sites are full of malware, as they are not regulated properly. This allows cyber crooks to upload torrents with malware in them. This is often the case with popular content, especially TV shows and movies. Torrents for episodes of Games of Thrones were full of malware back when the show was still airing. Thus, users should avoid pirating via torrents, not only because it’s illegal but also because it could be dangerous for the computer.

Is it possible to decrypt Iiss ransomware files?

When the ransomware is initiated, it will start encrypting files immediately. While it’s doing that, users will see a window saying “Installing important updates Windows”. All encrypted files will have the .iiss extension. For example, image.jpg would become image.jpg.iiss. All files with that extension will not be openable, unless they are first decrypted.

When the ransomware is done encrypting files, it will drop a _readme.txt ransom note, which is identical to the notes dropped by other ransomware from this family. The ransom note will explain that users can recover files by sending an email to helpmanager@mail.ch or restoremanager@airmail.cc. They will also need to pay a $980 ransom. If contact is made within 72 hours, the price would supposedly be lowered to $490. Either way, paying the ransom is not a good idea as it does not guarantee that files would be decrypted. There are no assurances that a decryptor would be sent to users who pay, as it has happened many times in the past. Furthermore, paying the ransom encourages users to continue their malicious activities, as it’s profitable for them. The reality is that as long as users continue paying the ransom because they don’t have backup, ransomware will be an issue.

Here is the ransom note dropped by Iiss ransomware:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-BZzaxzzYFX
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Backup is currently the only way users can recover files for free.

Iiss ransomware removal

Users will need to use anti-malware software to remove Iiss ransomware from their computers. Once the ransomware is no longer present, users can access backup to start file recovery.

Iiss ransomware is detected as:

  • Win32:DropperX-gen [Drp] by Avast/AVG
  • Trojan.GenericKD.34942563 (B) by Emsisoft
  • A Variant Of Win32/Kryptik.HHAE by ESET
  • Trojan.MalPack.GS by Malwarebytes
  • HEUR:Trojan-Ransom.Win32.Stop.gen by Kaspersky
  • Trojan:Win32/Glupteba.MS!MTB by Microsoft
  • Trojan.Gen.2 by Symantec
  • Trojan-FSUC!EC1F882FED68 by McAfee