Cyber Security Center

Remove Artemis ransomware


Artemis ransomware is another version of PewPew ransomware and is file-encrypting malware. Adds the [khalate@tutanota.com].artemis extension to encrypted files and drops an info-decrypt.hta ransom note.

 

WastedLocker ransmware image

Discovered by malware researcher S!Ri, Artemis ransomware is a new variant of PewPew ransomware. It’s malware that encrypts files and demands payment for their decryption. This ransomware can be differentiated by the [khalate@tutanota.com].artemis added to encrypted files. Users will not be able to open files with this extension until they decrypt them using a special decryption tool. The decryption tool is offered in the info-decrypt.hta ransom note, though the price is not mentioned.

It is never recommended to pay the ransom because there are no guarantees that a decryptor would be sent. Users should keep in mind that they are dealing with cyber criminals, whose willingness to help probably depends on their mood. They have no obligations to help users and would likely just take the money. It has happened many times in the past and will likely happen again the future. Furthermore, victims paying the ransom makes ransomware profitable to cyber criminals, which encourages them to continue. The reason ransomware is such a widespread problem is because users don’t back up their data and pay the ransom.

Unfortunately, it’s currently possible to recover files via backup only. If users have backup of encrypted files, they can start file recovery as soon as they remove Artemis ransomware from their computers. However, users should be very careful to remove the ransomware fully, as otherwise backed up files may become encrypted as well.

Users should also beware of fake decryptors. Malicious actors are disguising malware as ransomware decryptors to further harm victims. Legitimate decryptors would come from sources like NoMoreRansom, Emsisoft, other anti-malware vendors or malware researchers. Users should not trust anyone else to provide safe decryptors.

How does ransomware spread?

Ransomware in most cases spreads via methods like torrents, spam email attachments, and malicious ads. It usually infects computers of users with bad browsing habits, so if users develop better habits they should be able to avoid a malware infection.

Torrents are one of the more common ways users pick up ransomware, especially via torrents for content that’s popular at the time. For example, when Game of Thrones was airing, malware was often disguised as recently aired episodes. Torrent sites are often poorly regulated, which cyber criminals take full advantage of by uploading malware disguised as movies, TV shows, games, software, etc. The more users torrent, the higher the chances of picking up a malware infection.

Another common method of malware distribution is spam email. Spam emails often come with attachments, which if opened would initiate malware. Careless users who don’t check for warning signs and open unsolicited attachments often end up infecting their computers this way. However, if users were aware of the signs pointing to an attachment being potentially malicious, they would be able to avoid the majority of malware. Those signs include the email being full of grammar/spelling mistakes, and the sender having a nonsense email address despite claiming to be from a professional company/organization. Even if users do know what to look for in emails, they should still scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

What does Artemis ransomware do?

Artemis ransomware is just like any other ransomware, in the sense that it will encrypt photos, videos, documents, etc. Once files have been encrypted, they will have an extension added to them. The extension contains the victim’s unique ID followed by .[khalate@tutanota.com].artemis. For example, image.jpg would become image.jpg.uniqueID.[khalate@tutanota.com].artemis. All files with this extension would be unopenable unless they are first decrypted.

After file encryption is complete, the ransomware will drop an info-decrypt.hta ransom note. The note will contain the unique ID needed when contacting these criminals, as well as their email addresses, which are khalate@tutanota.com and khalate@protonmail.com. The price for the decryptor is not mentioned in the note, and would be specified if victims were to send them an email. However, contacting them, let along paying the ransom is not a good idea since file decryption is not guaranteed.

Here is the text from the Artemis ransomware ransom note:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail : khalate@tutanota.com
Write this ID in the title of your message : –
In case of no answer in 12 hours write us to this e-mail : khalate@protonmail.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Backup is currently the only free way to recover files. Ransomware is one of the main reasons why backing up files on a regular basis is so important. If users have backup, they can access it as soon as they remove Artemis ransomware.

Artemis ransomware removal

It is strongly recommended to use anti-malware software to delete Artemis ransomware as that would be the safest way. If users attempt manual Artemis ransomware removal, they may end up causing even more harm. Unfortunately, removing the ransomware does nothing to decrypt files.

Artemis ransomware is detected as:

  • UDS:DangerousObject.Multi.Generic by Kaspersky
  • A Variant Of Win32/Packed.Enigma.DS by ESET
  • Ransom.Pewpew by Malwarebytes
  • Ransom:Win32/Higuniel.A by Microsoft
  • Artemis!AEB02C0C6E8E by McAfee
  • FileRepMalware by AVG
  • ML.Attribute.HighConfidence by Symantec