What is Egregor Ransomware

Egregor is ransomware that belongs to Sekhmet family and promotes various versions of malware. This time around, users reported dealing with the virus called Egregor that encrypts private data and demands paid decryption. Depending on which version attacked your system, the encryption process may vary a little bit. For example, Egregor adds randomly generated extension to each of the infected files so they look like this 1.mp4.WaBuD, extension, usually, consists of 5 letters in lower and upper case. After the encryption gets finished, the virus goes further creating a note called RECOVER-FILES.txt that contains step-by-step instructions to recover the compromised data.

Egregor Ransomware
------------------
| What happened? |
------------------
Your network was ATTACKED, your computers and servers were LOCKED,
Your private data was DOWNLOADED.
----------------------
| What does it mean? |
----------------------
It means that soon mass media, your partners and clients WILL KNOW about your PROBLEM.
--------------------------
| How it can be avoided? |
--------------------------
In order to avoid this issue,
you are to COME IN TOUCH WITH US no later than within 3 DAYS and conclude the data recovery and breach fixing AGREEMENT.
-------------------------------------------
| What if I do not contact you in 3 days? |
-------------------------------------------
If you do not contact us in the next 3 DAYS we will begin DATA publication.
-----------------------------
| I can handle it by myself |
-----------------------------
It is your RIGHT, but in this case all your data will be published for public USAGE.
-------------------------------
| I do not fear your threats! |
-------------------------------
That is not the threat, but the algorithm of our actions.
If you have hundreds of millions of UNWANTED dollars, there is nothing to FEAR for you.
That is the EXACT AMOUNT of money you will spend for recovery and payouts because of PUBLICATION.
--------------------------
| You have convinced me! |
--------------------------
Then you need to CONTACT US, there is few ways to DO that.
I. Recommended (the most secure method)
a) Download a special TOR browser: hxxps://www.torproject.org/
b) Install the TOR browser
c) Open our website with LIVE CHAT in the TOR browser: hxxp://egregor4u5ipdzhv.onion/A804640A8E2CA2F2
d) Follow the instructions on this page.
II. If the first method is not suitable for you
a) Open our website with LIVE CHAT: hxxps://egregor.top/A804640A8E2CA2F2
b) Follow the instructions on this page.
Our LIVE SUPPORT is ready to ASSIST YOU on this website.
----------------------------------------
| What will I get in case of agreement |
----------------------------------------
You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data,
confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter.
And the FULL CONFIDENTIALITY ABOUT INCIDENT.
----------------------------------------------------------------------------------
Do not redact this special technical block, we need this to authorize you.
---EGREGOR---
-
---EGREGOR--

It is said that victims have to get in touch with cybercriminals no later than 3 days via the attached browser link. If the announced deadline comes to an end, extortionists will publish sensitive data all over the web. Cybercriminals can ask different fees for the recovery. Sometimes the amount can exceed thousands of dollars, especially if data has a significant value to owners. Unfortunately, you will not be able to find any free tools to decrypt the files affected by Egregor. At this moment, the only feasible way to recover data is by using an external backup if one was created prior to the encryption. Follow our guide below to learn more about ransomware and ways to avert it.

How Egregor Ransomware infected your computer

There are multiple ways Egregor could penetrate your system. The first and most renowned one is via e-mail spam with malicious attachments. Cybercriminals tend to exploit this method since it is the easiest and cheapest way to promote malware. They charge special bots that send multitudes of scripted messages with malicious attachments. The focus is usually on inexperienced users who open suspicious content left and right. Such messages are trying to look fancy and legitimate to throw any doubts away and make gullible users open them. The range of attached files can vary from MS Office documents, PDFs to executable and JavaScript files. Be wary of fishy and unfamiliar content delivered on the web. Additionally, it is necessary to mention other distribution channels like Trojans, fake software cracking tools, keyloggers, backdoors, and unprotected RDP configuration.

  1. Download Egregor Ransomware Removal Tool
  2. Get decryption tool for your files
  3. Recover encrypted files with Stellar Data Recovery Professional
  4. Restore encrypted files with Windows Previous Versions
  5. Restore files with Shadow Explorer
  6. How to protect from threats like Egregor Ransomware

Download Removal Tool

Download Removal Tool

To remove Egregor Ransomware completely, we recommend you to use WiperSoft AntiSpyware from WiperSoft. It detects and removes all files, folders, and registry keys of Egregor Ransomware and prevents future infections by similar viruses.

Alternative Removal Tool

Download SpyHunter 5

To remove Egregor Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of Egregor Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

Egregor Ransomware files:


RECOVER-FILES.txt
b.dll
testbuild.pdb
{randomfilename}.exe

Egregor Ransomware registry keys:

no information

How to decrypt and restore your files

Use automated decryptors

Download Kaspersky RakhniDecryptor

kaspersky dharma ransomware decryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt your files. Download it here:

Download RakhniDecryptor

There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

Dr.Web Rescue Pack

Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of your files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing of files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.

If you are infected with Egregor Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore your files

stellar data recovery professional

  1. Download Stellar Data Recovery Professional.
  2. Click Recover Data button.
  3. Select type of files you want to restore and click Next button.
  4. Choose location where you would like to restore files from and click Scan button.
  5. Preview found files, choose ones you will restore and click Recover.
Download Stellar Data Recovery Professional

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like Egregor Ransomware, in future

1. Get special anti-ransomware software

Use BitDefender Anti-Ransomware

bitdefender anti-ransomware

Famous antivirus vendor BitDefender released a free tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.

Download BitDefender Anti-Ransomware

2. Back up your files

idrive backup

As an additional way to save your files, we recommend online backup. Local storages, such as hard drives, SSDs, flash drives, or remote network storages can be instantly infected by the virus once plugged in or connected to. Egregor Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.

Download MailWasher Pro