Cyber Security Center

Msf ransomware removal


Msf ransomware is malware that encrypts files. It’s part of the Dharma ransomware family, and can be identified by the .[metasploit@post.com].msf extension added to encrypted files. Once files are encrypted, users will be unable to open them unless they’re first decrypted. The ransomware shows a pop-up ransom note and drops a FILES ENCRYPTED text one.

 

Ransomware image

Msf ransomware is file-encrypting malware, part of the Dharma ransomware family. Dharma has released many ransomware versions, including .lock, GLB, SUKA, Cvc, ZIN, and World. This ransomware adds .[metasploit@post.com].msf to encrypted files, which is how it can be identified by users. The ransomware will show a pop-up ransom note and drop a FILES ENCRYPTED.txt, and the notes explain how users can proceed to decrypt files. Getting the decryptor involves paying a ransom, though the price is not mentioned in the ransom notes. But it will likely be somewhere between $100 and $1000, as that is how much cyber crooks usually demand. But whatever the price may be, users are highly discouraged from paying.

Before even considering paying, users should consider that they are dealing with cyber criminals. They are unlikely to feel obligated to send the decryptor once the payment is made. Unfortunately, many users in the past paid but did not receive the decryptor so victims should be aware of the risks involved in paying the ransom.

Users with backup should have no issues with recovering files, provided they first remove Msf ransomware from the computer. If the ransomware is present when users connect to backup, those files may become encrypted as well. Ransomware is one of the main reasons why backing up files is so important.

It should also be mentioned that malware researchers are occasionally able to release free decryptors, but it’s not always possible. A free decryptor for Dharma can be found on NoMoreRansom but it will not work on newer versions, including Msf. But users should be careful about downloading decryptors from potentially unsafe sources because they could contain malware. It’s not unexpected that malicious actors are taking advantage of the situations users are in to distribute their own malware.

Ransomware distribution and how to avoid it

Ransomware is usually distributed via methods like torrent, email attachments, system vulnerabilities, etc. Developing better computer usage habits can go a long way towards avoiding picking up some kind of infection.

There is a reason why users are constantly pestered to install important security updates. The updates patch known security vulnerabilities that can be used by malware to get into the system. Thus, users should always install updates when they become available.

Ransomware can also be distributed via methods like spam email. Cyber crooks buy email addresses from hacker forums and use them to launch malspam campaigns that spread malware. Malware would be disguised as some kind of important document that users supposedly need to review, and it would initiate as soon as users open the file. The emails carrying malware are often fairly obvious, so if users pay attention, they should be able to identify them. They are sent from random-looking email addresses, have loads of grammar and spelling mistakes, and pressure users to open the added files. But as a precaution, users should scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Torrents are also a common way users pick up ransomware. Torrent sites are not regulated properly, which means cyber criminals can easily put malware in a torrent for a movie, TV series, game, or software. It’s especially common for torrents for popular content to contain malware. For example, torrents for the recently-released Cyberpunk 2077 are likely full of malware because of how popular the video game currently is.

Why is ransomware so dangerous?

Users will notice when this ransomware has infected their computers because files will suddenly be encrypted and have .[metasploit@post.com].msf added to them. This extension indicates that files are encrypted. The added extension will also contain users’ unique IDs. For example, image.jpg would become image.jpg.unique ID.[metasploit@post.com].msf.

Once the ransomware is done encrypting files, a ransom note will pop up. A FILES ENCRYPTED.txt note will also be dropped. The pop-up ransom note displays the ID and the email addresses to which users are asked to send an email to in order to initiate the decryption process. Those email addresses are metasploit@post.com and metato3sploit@gobv2.eu. Making contact with these cyber crooks is not recommended because file decryption is not guaranteed even after paying the ransom. The cyber crooks behind the ransomware can just take the money and not send the decryptor. It has happened many times in the past, and it will likely happen in the future.

Here is the ransom note dropped by this ransomware:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail metasploit@post.com
Write this ID in the title of your message
In case of no answer in 24 hours write us to theese e-mails:metato3sploit@gobv2.eu
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Msf ransomware removal

Users should be using anti-virus software to remove Msf ransomware from their computers because it’s a complex malware infection. Trying to delete Msf ransomware manually could result in further damage to the computer. As soon as the ransomware is no longer present, users can open their backup to start file recovery.

Msf ransomware is detected as:

  • Trojan.Ransom.Crysis.E by BitDefender
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom.Win32.CRYSIS.SM by TrendMicro
  • Ransom.Crysis by Malwarebytes and Symantec
  • Win32:RansomX-gen [Ransom] by Avast and AVG