Cyber Security Center

TRAPGET ransomware removal


TRAPGET ransomware is a new variant of the Nefilim ranosmware. This ransomware adds the .TRAPGET file extension to all encrypted files and drops the TRAPGET-INSTRUCTION.txt ransom note.

 

TRAPGET ransom note

Discovered by cybersecurity researcher GrujaRS, TRAPGET ransomware is a variant of the Nefilim ransomware. It’s file-encrypting ransomware that adds the .TRAPGET file extension to encrypted files and drops the TRAPGET-INSTRUCTION.txt ransom note. Users will not be able to open the encrypted files, unless they first decrypt them using a special decryptor. The cyber crooks operating this ransomware will try to sell decryption tool to victims, though the price is not mentioned. In order to pressure users into buying the decryptor, the ransomware also threatens to leak files it has stolen from the computer. Many ransomware are now using this tactic as less and less victims are choosing to pay the ransom.

Whatever the decryptor price may be we don’t recommend buying it. When it comes to ransomware, there are no guarantees that files would be decrypted, or even that the decryptor would be sent. Countless users in the past have lost their money and were left with encrypted files.

Malware researchers are sometimes able to release free decryption tools, though it’s not always possible. Currently, this ransomware is undecryptable so a free decryptor has not been released. Be skeptical of sources claiming otherwise, as there are plenty of malicious decryptors going around. Users should only trust legitimate sources, such as NoMoreRansom and Emsisoft, to provide safe decryptors.

Users who have backup can start recovering files as soon as they remove TRAPGET ransomware from their computers, which they should do with anti-malware software. If the malware is still present when users access backup, those files may become encrypted as well.

How does ransomware infect a computer

Ransomware does not magically enter a computer, users have to allow it in. It happens via a variety of different methods without users realizing. For example, opening a malicious spam email attachment, downloading a torrent or software crack, clicking on a malicious ad, etc.

Spam email remains one of the most common ways ransomware enters a computer. Users receive an email that claims the attachment needs to be opened at once. If users comply and open the file, they initiate the ransomware. This usually happens when users do not pay attention to what they open as most malicious emails are easily recognizable. First of all, they are sent from random email addresses. They are also full of grammar and spelling mistakes, and make little sense altogether. Users should always check unsolicited emails carefully, and only when they are sure it’s safe should they open the attachment. Just to be sure, all unsolicited email attachments should be scanned with anti-virus software or VirusTotal.

Other ways users pick up ransomware includes downloading pirated content via torrents. Torrent sites and forums are notoriously badly regulated, which allows malicious actors to easily upload malware disguised as torrents for popular entertainment content, such as movies or games.

Is it possible to recover TRAPGET ransomware encrypted files?

TRAPGET ransomware appears to first steal files and only then encrypts them. All encrypted files will have the .TRAPGET extension added to them. For example, image.jpg would become image.jpg.TRAPGET. Files with this extension will be unopenable. A ransom note will then be dropped TRAPGET-INSTRUCTION.txt. The ransom note reveals that files have been encrypted and will potentially be leaked if the ransom is not paid.

Here is the TRAPGET ransomware note:

Two things have happened to your company.
==================
All of your files have been encrypted with military grade algorithms.
The only way to retrieve your data is with our software.
Restoration of your data requires a private key which only we possess.
==================
Information that we deemed valuable or sensitive was downloaded from your network to a secure location.
We can provide proof that your files have been extracted.
If you do not contact us we will start leaking the data periodically in parts.
==================
To confirm that our decryption software works email to us 2 files from random computers.
You will receive further instructions after you send us the test files.
We will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.
If we do not come to an agreement your data will be leaked on this website.

Website: hxxp://corpleaks.net
TOR link: hxxp://hxt254aygrsziejn.onion

Contact us via email:
Mariajackson2020williams@protonmail.com
MariaJackson2019williams@protonmail.com
StephanVeamont1997C@tutanota.com

Paying the ransom is never recommended because it doesn’t actually guarantee file decryption. Not only that, by paying users are also encouraging cyber crooks to continue, as ransomware is profitable for them. Unfortunately, backup is currently the only free way to recover files.

TRAPGET ransomware removal

Anti-malware software should be used to delete TRAPGET ransomware. If users attempt to manually remove TRAPGET ransomware, they could end up doing even more damage. Once the ransomware is gone, users can access their backup and start recovering their files.

TRAPGET ransomware is detected as:

  • A Variant Of Win32/Filecoder.Nemty.I by ESET
  • Win32:DangerousSig [Trj] by Avast/AVG
  • Trojan:Win32/Ymacco.AAE3 by Microsoft
  • Trojan-Ransom.Win32.Encoder.key by Kaspersky
  • Artemis!C53B127E1BA5 McAfee
  • Trojan.Maltrec.TS by Symantec