Pizhon ransomware removal


Pizhon ransomware is a new file-encrypting malware. Encrypts files, adds the .pizhon-[random characters] file extension and drops the !!!README!!!.txt ransom note.

 

Pizhon ransomware

Pizhon ransomware is malware that encrypts files. Discovered by security researcher GrujaRS, Pizhon ransomware does not appear to belong to any known ransomware family. Nonetheless, it’s a dangerous piece of malware that will encrypt files and demand that users pay for their decryption. It appears that the ransomware primarily targets users in Russian-speaking countries, as the ransom note !!!README!!!.txt is written in Russian.

Pizhon ransomware can be differentiated from other ransomware by the .pizhon-[random characters] extension added to encrypted files. The random characters will be different for every file. Users will not be able to open encrypted files until they are decrypted with a special tool. The cyber criminals behind this ransomware will try to sell the decryption tool to victims, though the price is not known. Whatever the price may be, paying the ransom is never recommended. Not only does it not guarantee file decryption, it also supports future criminal activities. It’s not uncommon for cyber crooks to just take the money without sending a decryptor, and many users have suffered from this as not only were their files left encrypted, they also lost money.

Ransomware is one of the main reasons why users are encouraged to regularly backup files. Users who do have backup for encrypted files can just remove Pizhon ransomware from their computers and start file recovery as soon as possible.

If users don’t have backup, the situation is more complicated. It’s not uncommon for malware researchers to release free decryption tools to help victims recover files for free, but it’s not always possible. A free decryptor for Pizhon ransomware is not currently available but that may change in the future. However, if a free decryptor was released, it would be by NoMoreRansom, Emsisoft, other anti-virus vendors or malware researchers. Users should never download decryptors from random/questionable forums.

How does ransomware infect a computer?

Users who do not have good browsing habits are usually the ones who pick up ransomware infections because they open random email attachments, pirate using torrents, and click on advertisements while on highly questionable websites.

Torrents are often the reason behind a ransomware infection. Torrent sites and forums are notoriously under regulated, which malicious actors take full advantage of. Malicious software is often hidden in torrents for entertainment content (movies, TV shows, games, software) that’s popular at the time. As an example, when Marvel movies come out, torrent sites are full of malware disguised as those movies. Thus, users are highly discouraged from pirating via torrents, as it could be dangerous.

Spam email is perhaps the most common way users get ransomware. If users are not careful with unsolicited emails and their attachments, they could easily end up infecting their computers with ransomware. Malicious actors often launch spam email campaigns that contain malware as an attachment. All users need to do to initiate the malware is open the attachment and enable macros. Fortunately, users should be able to avoid opening these emails if they are careful. When dealing with an unsolicited email, users should first check who the sender is and whether their email address looks legitimate. Malicious emails are also often full of grammar and spelling mistakes. But even when an unsolicited email looks completely legitimate, it’s recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Is it possible to decrypt Pizhon ransomware files?

Typically, Pizhon ransomware targets files that users would least like to lose, such as photos, videos, documents. Essentially, all personal files will be encrypted. Those files will have a .pizhon-[random characters] extension added to them. For example, image.jpg would become image.jpg.pizhon-3ba2e8tg752a29gb. Users will not be able to open these files unless they are first decrypted.

The ransomware will drop a !!!README!!!.txt ransom note which contains instructions (in Russian) on how to recover files. The price for the decryptor is not mentioned. The note asks that victims download Tor, create an email account on the provided website and send an email to pizhon@torbox3uiot6wchz.onion with a code that’s displayed in the ransom note. Victims will then supposedly receive instructions on how to recover files, which will include paying the ransom.

Here is the ransom note dropped by Pizhon ransomware:

Вся Ваша информация на этом компьютере была зашифрована.
Для расшифровки Вам нужно выполнить несложные действия:
————————————————————
1. Скачайте по ссылке тор-браузер, установите его:
hxxps://www.torproject.org/download/download-easy.html
2. Откройте тор-браузер, перейдите по адресу и зарегистрируйте себе e-mail:
hxxp://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion/signup-en.php
3. Войдите в почтовый ящик:
hxxp://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion/wm/
4. Напишите письмо на e-mail:
e-mail: pizhon@torbox3uiot6wchz.onion
Укажите в письме Ваш код для разблокировки: –
5. Ждите ответ.
————————————————————
Учтите, что письма с обычных email – мы не получим, кроме тех, которые есть в этом списке:
hxp://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion/relay-en.php
————————————————————

As we said above, paying the ransom is not a good idea, as it does not guarantee file decryption. Currently, backup is the only sure way to recover Pizhon ransomware encrypted files.

Pizhon ransomware removal

Users will need to use anti-malware software to delete Pizhon ransomware. Users who have backup should only access it once they remove Pizhon ransomware, as otherwise, those files may become encrypted as well.

Pizhon ransomware is detected as:

  • Win64:Trojan-gen by Avast/AVG
  • A Variant Of Win64/Filecoder.O by ESET
  • Gen:Heur.Ransom.REntS.Gen.1 (B) by Emsisoft
  • HEUR:Trojan-Ransom.Win32.Crypmod.vho by Kaspersky
  • Trojan:Win32/Ymacco.AA5C by Microsoft
  • Ransom_Crypmod.R011C0GJQ20 by TrendMicro