Cyber Security Center

Sext ransomware removal


Sext ransomware is malware that encrypts files. Can be differentiated from other ransomware by the .sext extension that it adds to encrypted files, hence why it’s known as Sext ransomware. Drops HELP_DECRYPT_YOUR_FILES.txt ransom note and demands $600 in Bitcoin for file decryption.

 

Sext ransomware

Detected by malware analyst Marcelo Rivero, Sext ransomware is a typical ransomware that aims to encrypt files important to users. It gets in via the usual methods, and by the time users notice that they can’t open the files, it’s already too late. The ransomware adds .sext to all encrypted files, hence why it’s known as Sext ransomware. Users will be offered to decrypt the files for $600, but it should be said that paying is risky. When it comes to ransomware, there are no guarantees that the cyber crooks behind it will actually send the decryptor, or that they even have it. Unfortunately, countless users in the past have been left with no decryptors despite paying the ransom, so we always advise users against paying.

Only users who have backup can recover files for free at this moment in time. Ransomware is one of the main reasons why backing up files on a regular basis is so important. If users can recover files at any time, ransomware would not have such a devastating effect on them, and there would be no need to pay the ransom. So if users do have backup for encrypted files, they can simply remove Sext ransomware from their computers and access the backup. However, users should be aware that if ransomware still remains in the system when backup is accessed, backed up files would become encrypted as well.

We should also mention that malware researchers are often able to help users recover files for free by developing free decryption tools. However, it’s not always possible. Free working decryptors are usually downloadable from NoMoreRansom or directly from anti-virus vendors like Emsisoft. Users should also be aware that there are plenty of fake decryptors advertised on various forums and sites, so users should be careful not to download something malicious.

Ransomware distribution

The majority of ransomware use, more or less, the same distribution methods, which include malicious email attachments, and torrents. Regular users who have bad browsing habits are usually the ones who most commonly pick up malware infections. Thus, developing better habits would go a long way towards avoiding a lot of malware.

Because malicious actors often launch malspam campaigns, users should be very careful with opening unsolicited email attachments. If a user’s email has been leaked or been part of a data breach, it’s very likely that it would be sold on a dark web forum, and would become a recipient of a potentially malicious email. The good news is that the majority of those malware-carrying emails will be quite obvious. They will be sent from random email addresses, contain many obvious grammar and spelling mistakes, and claim that opening the attached file is a matter of urgency. If users do open it and enable macros, they would initiate the malware. As a precaution, users should scan all unsolicited email attachments with anti-virus software or VirusTotal before they are opened.

Another common method of distributing malware is via torrents. Torrent sites are not regulated properly, which malicious actors take full advantage of by concealing malware in torrents for popular movies, TV shows, games, etc. Less carefully users end up downloading and opening those torrents, which initiates the infection. So if users want to avoid infecting their computers with serious malware, they should avoid pirating copyrighted content.

How dangerous is Sext ransomware?

Almost immediately after it’s initiated, Sext ransomware begins encrypting files. Like all ransomware, it primarily targets files like videos, photos, documents, etc., because those are the files users would be most unhappy to lose. Once those files are encrypted, they will have .sext added to them, and users will be unable to open them. For example, image.jpg would become image.jpg.sext. The ransomware will also drop HELP_DECRYPT_YOUR_FILES.txt ransom note, which will explain that paying $600 in Bitcoin is necessary in order to get the decryptor. $600 is quite a lot of money, especially when there aren’t any guarantees that a decryptor would be sent, or that it work. While in the end, whether to pay the ransom or not is up to the users, they should be aware of the risks involved.

A free decryptor is not currently available but that may change in the future. At this time, it’s only possible to recover files from backup.

Here is the ransom note dropped by Sext ransomware:

Oops All Of your important files were encrypted Like document pictures videos etc..

Don’t worry, you can return all your files!
All your files, documents, photos, databases and other important files are encrypted by a strong encryption.

How to recover files?
RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key.
The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files.

What guarantees you have?
As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file

Please You must follow these steps carefully to decrypt your files:
Send $600 worth of bitcoin to wallet: 15zw6QrCbd5r8CD2eySMoTktstuEgD1Dzs
after payment,we will send you Decryptor software
contact email: getyourdata@protonmail.com

Your personal ID: –

Sext ransomware removal

Users need to use anti-virus software to delete Sext ransomware, as it is a dangerous malware infection. Manual Sext ransomware removal could do even more damage. Once the ransomware is no longer on the computer, users can start file recovery process from backup.

Sext ransomware is detected as:

  • Generic.Ransom.WCryG.751A6B2F by BitDefender
  • Ransom.Lockdown by Malwarebytes
  • ML.Attribute.HighConfidence by Symantec
  • Ransom:MSIL/Ryzerlo.A by Microsoft
  • HEUR:Trojan.MSIL.DelShad.gen by Kaspersky
  • A Variant Of MSIL/Filecoder.CS by ESET
  • Generic.Ransom.WCryG.751A6B2F (B) by Emsisoft
  • Win32:RansomX-gen [Ransom] by Avast/AVG