Cyber Security Center

Remove 259 ransomware


259 ransomware is file encrypting malware that belongs to the Dharma ransomware family. Can be differentiated from other Dharma versions by the .259 extension added to encrypted files. Drops the standard FILES ENCRYPTED.txt ransom note, as well as shows a pop-up one.

 

Screenshot (59)

259 ransomware was discovered by malware researcher Jakub Kroustek, and it’s part of the Dharma ransomware family. It’s a dangerous piece of malware because it encrypts files, and it’s not always possible to recover them. This ransomware adds an extension to all encrypted files, and it contains a victim’s unique ID, and .[259461356@qq.com].259. Files with this extension will not be openable, unless users first decrypt the files. The pop-up ransom note and the FILES ENCRYPTED.txt note will contain an email address, which users are supposed to email is they want to buy the decryptor.

However, paying the ransom/buying the decryptor is always discouraged because it does not guarantee file decryption. There are no guarantees that cyber crooks will actually send the decryptor once they get the payment. Many users in the past have not received the decryptor, even after paying, and this will likely happen many times in the future. This currently leaves backup the only reliable way to recover files.

We should mention that malware researchers do release free decryption tools to help users recover files without paying the ransom, but one for 259 ransomware is not available. If it does get released, it would come from NoMoreRansom, Emsisoft, other anti-virus vendors, as well as malware researchers. Users should be careful not to download fake decryptors, as they may be malicious.

For users who have backup, they can start file recovery as soon as they delete 259 ransomware.

Ransomware distribution methods

In many cases, ransomware enters computers of users who are not careful when browsing the Internet and using services like email. Essentially, if users were to develop better browsing habits, they would be able to avoid the majority of malware.

Opening unsolicited email attachments without first checking that they are safe is one of the major reasons why users end up infecting their computers with ransomware. Launching a spam email campaign is relatively easy, and malicious actors use email addresses purchased from hacker forums. The emails are fairly obvious, and if users pay attention, they should be able to avoid opening something malicious. First of all, they’re often sent from random email addresses. Even if the email address does look legitimate, users should still check it with a search engine. Malicious and spam emails are also often full of grammar and spelling mistakes. Even when the email looks completely legitimate, it’s recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Pirating can also often lead to an infection, especially via torrents. Torrent sites and forums are often unregulated, which allows cyber criminals to easily upload malware. Malware is especially often seen in torrents for content that’s popular at the time. For example, when Breaking Bad was airing on a weekly basis, torrent sites were full of malware disguised as the newest episode. The less users torrent, the less chance there is that their computers will get infected with some kind of malware.

What does 259 ransomware do?

When the ransomware is initiated, it will start encrypting files. It targets the usual types, including photos, videos, documents, etc. All affected files will have an extension added to them. The extension will be made up of the user’s unique ID and .[259461356@qq.com].259. For example, image.jpg would become image.jpg.unique ID.[259461356@qq.com].259. Users will not be able to open files with this extension.

Once file encryption is complete, a pop-up ransom note will appear. In addition, a FILES ENCRYPTED.txt note will be dropped. The pop-up one contains more information. It also has the unique ID, which users need to include when contacting cyber crooks via email. The price for the decryptor is not mentioned, but it will likely be somewhere between $100 and $1000. But as we said above, paying is not recommended. Not only because it does not guarantee file decryption but also because the money supports future criminals activity. And as long as victims pay the ransom, ransomware will continue to be a big issue.

Here’s the text from the pop-up ransom note:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail 259461356@qq.com
Write this ID in the title of your message –
In case of no answer in 24 hours write us to theese e-mails:259461356@qq.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How to delete 259 ransomware

Using anti-virus software to remove 259 ransomware is highly recommended. Manual 259 ransomware removal could bring even more damage. Once the ransomware is no longer present, users can start file recovery via backup. It should be mentioned that removing the ransomware does nothing to decrypt files. A decryptor is necessary for that.

259 ransomware is detected as:

  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • Trojan.Ransom.Crysis.E y BitDefender
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Ransom.Crysis by Malwarebytes and Symantec
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom:Win32/Wadhrama!hoa by Microsoft