Cyber Security Center

Szymekk ransomware removal


Szymekk ransomware is file-encrypting malware from the Cobra Locker malware family. It will encrypt files, add the .Szymekk file extension, lock the screen and display a ransom note.

 

Screenshot (24)

Discovered by cybersecurity researcher GrujaRS, Szymekk ransomware is malware that encrypts files. It’s a new version of the Cobra Locker ransomware, equally dangerous. Once inside a computer, it will encrypt files, add the .Szymekk file extension and show a ransom note demanding that victims write an email to cobra_locker@protonmail.com in order to recover files. There is little information provided about the decryptor and how much it would cost, but either way, sending that email is not recommended, nor is paying the ransom. The thing about ransomware is that there is no way of knowing whether a decryptor would actually be sent to victims who pay. Countless times in the past have users not received a decryptor after paying, and it’s not an uncommon occurrence.

However, without that decryptor, users will not be able to open their encrypted files. The only way left to recover files is backup. Ransomware is one of the main reasons why backing up files is so important. Users who do have backup can remove Szymekk ransomware with anti-malware software and proceed to file recovery via backup. Users who don’t have backup should back up encrypted files and wait for a free decryptor to become available. Malware researchers do release free ransomware decryptors when possible but it’s not always achievable. However, if a free decryptor does become available, it would be released by NoMoreRansom, Emsisoft, anti-virus vendors or malware researchers. Random decryptors advertised on strange websites are more likely to be malicious than actually work and decrypt files.

Ransomware distribution

When users infect their computers with ransomware, it’s usually because they have bad browsing habits. That includes opening unsolicited email attachments without checking them, pirating via torrents, clicking on ads while on high-risk websites and downloading unknown files.

Ransomware, as well as other malware, is often found in torrents, particularly for movies, episodes of TV shows, games, software, etc. This is especially the case for content that’s popular at the time. As an example, malware was often found in torrents for episodes of Games of Thrones back when the show was airing. This happens because torrent sites are often not regulated properly, which allows cyber crooks to easily upload malware.

One of the more common ways users pick up ransomware is by opening malicious email attachments. Malicious actors can easily launch a malspam email campaign using email addresses purchased from hacker forums. All users need to do is open the attached file, and the malware can then initiate. Fortunately, users can avoid opening these malicious files by carefully inspecting every unsolicited email with an attachment. One of the first signs of a potentially malicious email is a random-looking sender’s email address, especially when the sender claims to be from a legitimate/known company. For example, if the sender claims to be from FedEx but the email address looks completely random, it’s likely a malicious email. Secondly, malicious emails often have loads of grammar and spelling mistakes, whether they’re intentional or not. No legitimate company will send any kind of official correspondence that contains mistakes as it looks highly unprofessional. Lastly, even if everything in the email looks legitimate, all unsolicited attachments should be scanned with anti-virus software or VirusTotal before they’re opened.

It should also be mentioned that when visiting high-risk websites (adult content pages, as well as free streaming sites) clicking on advertisements is a risk. Those ads are likely to be unsafe, and users could be tricked into downloading something. And to prevent unwanted redirects and pop-ups when visiting those sites, having adblocker enabled is a good idea.

What does the ransomware do?

There is nothing unusual about Szymekk ransomware when it comes to file encryption. It starts encrypting files as soon as it is initiated, and targets files like photos, videos, documents, etc. All encrypted files will have a .Szymekk file extension, and those files will not be openable. Once file encryption is complete, the ransomware locks the screen and displays the ransom note.

The ransom note provides very little information, only mentions the name of the ransomware that has encrypted files and how to recover files. If victims wish to recover files, the note encourages them to send an email to cobra_locker@protonmail.com. The price for the decryptor is not mentioned in the note, but it will likely be somewhere between $100 and $1000 as that is usually the range.

The only information provided by Szymekk ransomware is the following:

You have become a victim of Szymekk ransomware!

All your important files are encrypted!

If you want to recover files write e-mail to us
(Cobra_Locker@protonmail.com)
and wait for further instructions

Whatever the ransom sum may be, victims should be aware that there are no guarantees that a decryptor will be sent to them. Users should already realize that the cyber criminals behind this ransomware will likely not feel obligated to help victims, even after they pay.

Currently, the only sure way to recover files is via backup. If uses do not have it, backing up encrypted files and waiting for a free decryptor to be released may be the only option.

How to remove Szymekk ransomware

Because the ransomware locks the screen, victims will need to restart the computer in Safe Mode, or Safe Mode with Networking if no anti-malware is installed. Users will need to delete Szymekk ransomware using anti-malware software. Manual Szymekk ransomware removal should not be attempted as it could cause even more damage. Unfortunately, removing the ransomware does not decrypt files. Backup is currently the only way.

Szymekk ransomware is detected as:

  • Win32:Trojan-gen by Avast/AVG
  • Trojan.GenericKD.34887615 (B) by Emsisoft
  • HEUR:Trojan-Ransom.MSIL.Encoder.gen by Kaspersky
  • Ransom.Szymekk by Malwarebytes
  • Trojan:Win32/Ymacco.AA99 by Microsoft
  • Trojan.MSIL.WACATAC.THJBCBO by TrendMicro
  • A Variant Of MSIL/Filecoder.AAX by ESET