Cyber Security Center

SWP ransomware removal


SWP ransomware is the newest member of the Dharma ransomware family. It’s file-encrypting malware that can be recognized by the [eusa@tuta.io].SWP extension added to files. Shows a pop-up ransom note and drops a FILES ENCRYPTED.txt text one.

 

Screenshot (30)

SWP ransomware is file-encrypting malware from the notorious Dharma malware family. The Dharma gang is known for regularly releasing ransomware versions, such as Dex, MUST, RXD, Elvis, and Kut. All of these versions are more or less the same, and users can recognize which version they are dealing with by the extension added to encrypted files. This version adds [eusa@tuta.io].SWP to encrypted files. The extension also contains users’ IDs, which are unique to each user, and need to be included in the email if users decide to contact the cyber crooks behind this ransomware. The ransom notes, both the pop-up and the FILES ENCRYPTED text one do not mention how much a decryptor costs, but it’s likely to be a couple of thousand dollars. Whatever the ransom sum is, paying is not the recommended option for a couple of reasons. First of all, it should be mentioned that paying does not mean a decryptor will be sent, seeing as users are dealing with cyber criminals who are unlikely to feel obligated to help victims. And even when decryptors are sent, they don’t always work. Furthermore, paying the ransom makes ransomware profitable for cyber crooks, which encourages them to continue.

If users have backup, they can start recovering files as soon they remove SWP ransomware. However, they should make sure to entirely delete the ransomware, as otherwise the backed up files may become encrypted. For users who don’t have backup, there aren’t many options left. Malware researchers do release free decryptors when it’s possible to create one but it’s not always possible. But there are many many fake decryptors on the internet, downloading which could lead to another malware infection. There is a decryptor for Dharma ransomware on NoMoreRansom, but it will not work for versions like SWP, Dex, MUST, Elvis, etc. However, if a decryptor was to be released, it would be appear in NoMoreRansom.

Ransomware is one of the reasons why regularly backing up files is so important. If users value their files, they should be backing them up. Otherwise, there is a serious risk of losing them in case of ransomware.

How does ransomware infect a computer?

Ransomware usually infects computers of users who have bad browsing habits. If users open unsolicited email attachments without first checking them to make sure they’re safe, use torrents to pirate copyrighted content, click on ads while on high-risk websites, and not install essential security updates, they have a much higher risk of getting malware.

Users commonly pick up ransomware by opening email attachments from unknown senders. Malicious actors buy email addresses from hacker forums and proceed to send malicious emails to them. All users need to do is open the attachment to infect their computers. Fortunately for users, malicious emails are usually pretty obvious. Spammers’ email addresses are usually quite random, and the emails themselves contain an abundance of grammar and spelling mistakes. Senders often claim to be from known companies or organizations, and prompt users to open the attachments by saying they are important documents. Because some malspam can be more sophisticated, it’s recommended to always scan unsolicited email attachments for malware by using anti-virus or VirusTotal.

Malware is also often encountered in torrents, especially for content that’s popular at a particular time. Torrent sites are not regulated properly, which allows cyber crooks to easily upload their malware disguised as some kind of movie, TV series episode or video game. Malware is often found in torrents for episodes of TV series that is airing at the time. For example, when Game of Thrones was airing, episode torrents often had malware in them. Users are discouraged from pirating not only because it’s essentially stealing content but also because it’s dangerous for the computer.

Not installing security updates on a regular basis can also lead to a malware infection as malicious software uses system vulnerabilities to get in.

What does the ransomware do?

The ransomware is pretty typical. It starts encrypting files as soon as it is initiated and targets important files, such as documents, videos, photos, etc. Once files are encrypted, they will have .[eusa@tuta.io].SWP added to them. The extension will also contain an ID, which is unique to each user. For example, image.jpg would become image.jpg.unique ID.[eusa@tuta.io].SWP. Once the ransomware has finished encrypting files, a ransom note will pop up, and a text one (FILES ENCRYPTED.txt) will be dropped. The notes mention eusa@tuta.io as the contact address, if users want to buy the decryptor. It also shows users’ unique IDs, which need to be included in the email. The notes do not mention the ransom sum, but as we said above, it will likely be a couple of thousand dollars.

We already said above that paying the ransom is not recommended. Not only does paying not guarantee that a decryptor will be sent, it also makes ransomware profitable for these cyber criminals, which only encourages them to continue their malicious activities. The reality is that as long as users continue to pay the ransom, ransomware will be an issue.

Below is the text from the pop-up ransom note shown by this ransomware:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email eusa@tuta.io YOUR ID 1E857D00
If you have not been answered via the link within 12 hours, write to us by e-mail:s1m4@protonmail.ch
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Unfortunately, at this moment in time, the only way to recover files is via backup.

SWP ransomware removal

Users have to use anti-malware software to delete SWP ransomware because it’s a dangerous malware infections that’s difficult to get rid of. Once the ransomware is no longer present, users can connect to their backup to access files.

SWP ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by Avg/Avast
  • Trojan.Ransom.Crysis.E by BitDefender
  • Ransom.Crysis by Malwarebytes and Symantec
  • Trj/GdSda.A by Panda
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom-Dharma!E03B110220A0 by McAfee