What is Eternity Ransomware
Eternity is a ransomware virus that was discovered by Cyble researchers. This piece of malicious software belongs to the Eternity malware family and is designed to extort money from victims by encrypting potentially valuable data (with secure AES and RSA cryptographic algorithms). Dasha is another popular ransomware variant from this family. There are two known versions of Eternity – one does not change files visually and the other assigns the .ecrp extension to filenames and alters original icons. For instance,
1.pdf may either remain the same or become
1.pdf.ecrp after encryption depending on which ransomware version attacked the system. After successfully completing encryption, Eternity displays a pop-up window containing decryption instructions. Because Eternity Ransomware is a public Malware-as-a-service (MaaS) virus, which many threat actors may buy, the content of instructions (contact details, ransom size, countdowns, etc.) may slightly vary as well. Below are examples of ransom texts from two ransomware variants.
All your files belong to us!
- files have been encrypted
The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
1. Send us your ID and sendme.eternityraas at firstname.lastname@example.org or at telegram @RecoverdataU
2. You will recieve a personal Monero for payment, payment rate is 800$
3. Once payment has been completed, send another email to us stating by `PAID`we will check to see if payment has been paid.
4. You will receive a text file with your KEY
*Do not interrupt the decryption process it only depend on the amount of file to decrypt.
*Do not attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlock your files.
*Do not change file names, mess with the files, or run decryption software as it will cost you more to unlock your files and there is a high chance you will lose your files forever.
*Do not send `PAID` to us without paying, price will rise for disobedience.The payment rate will increase by 500$ so be carefull
by Eternity group
Price: 800$ in Monero
by Eternity group
[Please decrypt them!]
All your documents,photos,videos....... are encrypted
use one of the following ways to negotiate.
3-telegram messenger: @hmnfk - +44 7933 416097
In general, the pop-up window guides victims to contact cybercriminals (via e-mail or Telegram messenger) and transfer 800$ (in Monero cryptocurrency) by following the further-obtained payment instructions. Once paid, victims have to notify the extortionists according to instructions specified in the pop-up window. After this, threat actors promise to send a text file containing the decryption key that victims will insert into a pop-up window and unlock their data eventually. In addition, cybercriminals also warn against altering and attempting to decrypt files without developers – as it may otherwise lead to permanent data corruption and loss. Unfortunately, decrypting without the help of attackers is rarely possible. You can try free third-party decryption/recovery tools from our guide, however, it is less likely that they will be able to help at the moment. For now, the only two methods to return your data are to either collaborate with extortionists (and purchase their decryption tool) or recover the files from available backups. Backups are copies of files stored on external storage (e.g., cloud, USB pendrives, etc.) that were not affected at the time of infection. Recovering data from backups is always a safer option as many cybercriminals tend to fool their victims and not send any decryption keys/tools eventually. This is especially risky when developers behind ransomware vary and therefore can project different behaviors. You can also not do anything if the encrypted data was not important/you can afford to lose it and simply delete the infection. Unless you are planning to pay the ransom, deleting ransomware is crucial to not let it encrypt other files at the time of manual recovery. It is also important to remove it after decrypting files with cybercriminals if you decide to. Follow our guide below and get protection against such threats in the future.
How Eternity Ransomware infected your computer
Since Eternity Ransomware is a Malware-as-a-service (MaaS) virus allowing other cybercriminals to use it, the way it is distributed may be largely diverse. However, most ransomware infections are known to penetrate systems via trojans, malicious e-mail spam letters, fake updates and license cracking tools, infected installers of pirated or cracked software, unprotected RDP configuration, unreliable ads, backdoors, keyloggers, and other dubious channels. The most common technique that cybercriminals often rely on is to make inexperienced users open some malicious file or link. For instance, ransomware can be camouflaged under some legitimate-looking file (.DOCX, .XLSX, .PDF, .EXE, .ZIP, .RAR, or .JS extensions) in an e-mail letter. Such e-mails tend to impersonate legal companies/entities (e.g., delivery companies, tax authorities, banks, and so forth) and are named in click-bait ways to reflect some “importance”, or “urgency”. If the attached content ends up opened according to cybercriminals’ guidelines, the contained infection will be likely deployed for installation on the targeted system. A similar infection pattern can be seen in other distribution channels as well, for instance, when users download some pirated or cracked version of the software from a shady web page. While the installation of such software may look completely unsuspicious, the final result can sadly be inadvertent infection of malware. Thus, beware of interacting with dubious download sources, torrent-sharing pages, suspicious ads, potentially malicious attachments/links, and other kinds of risky content. Download software only from official resources to prevent drive-by (stealth) installations of malware. Read our guide below to learn more about establishing protection against threats like ransomware (and other malware) in the future.
- Download Eternity Ransomware Removal Tool
- Get decryption tool for .ecrp files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like Eternity Ransomware
Download Removal Tool
To remove Eternity Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of Eternity Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove Eternity Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of Eternity Ransomware and prevents future infections by similar viruses.
Eternity Ransomware files:
Eternity Ransomware registry keys:
How to decrypt and restore .ecrp files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .ecrp files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .ecrp files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with Eternity Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .ecrp files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like Eternity Ransomware , in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. Eternity Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.