How to remove Everbe 2.0 Ransomware and decrypt .EVIL, .NOT_OPEN, or .divine files

Standard

What is Everbe 2.0 Ransomware

Everbe 2.0 Ransomware is second generation of wide-spread Everbe Ransomware. It is file-encryption virus, that encrypts user files using combination of AES (or DES) and RSA-2048 encryption algorithms and then extorts certain amount in BitCoins for decryption. The initial virus first appeared in March, 2018 and was very active since that time. Security researchers consider, that Everbe 2.0 Ransomware started its distribution on 4th of July 2018. Hackers modify added file extensions and ransom notes from time to time. Here is the list of variations used up to date:

  • .[eV3rbe@rape.lol].eV3rbe
  • .[evil@cock.lu].EVIL (EVIL Locker)
  • .[hyena@rape.lol].HYENA (HYENA Locker)
  • .[thunderhelp@airmail.cc].thunder
  • .[divine@cock.lu].divine
  • .[notopen@cock.li].NOT_OPEN (NOT_OPEN Locker)
  • .[notopen@countermail.com].NOT_OPEN (NOT_OPEN Locker)

Sometimes, malware names itself differently in ransom notes, like EVIL Locker, HYENA Locker, NOT_OPEN Locker. This is made to knock researchers astray, and make it harder for users to determine the type of threat. The ransom notes text files can also have different names: Readme if you want restore files.txt, !_HOW_RECOVERY_FILES_!.txt, !=How_recovery_files=!.txt, !=How_to_decrypt_files=!.txt. All notes have similar content – information to convict users, that files can be decrypted and contact information. Here are examples of some messages from Everbe 2.0 Ransomware:

EVIL Locker ransom note:

>>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<< HELLO, DEAR FRIEND! 1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ] Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the decryption program. 2. [ HOW TO RECOVERY FILES? ] To receive the decryption program write to email: evil@cock.lu And in subject write your ID: ID-xxxxxx We send you full instruction how to decrypt all your files. If we do not respond within 24 hours, write to the email: evillock@cock.li 3. [ FREE DECRYPTION! ] Free decryption as guarantee. We guarantee the receipt of the decryption program after payment. To believe, you can give us up to 3 files that we decrypt for free. Files should not be important to you! (databases, backups, large excel sheets, etc.) >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<

NOT_OPEN Locker ransom note:

>>>>>>>>>>>>>>>>>>>>>>>>>>>> NOT_OPEN LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<< HELLO, DEAR FRIEND! 1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ] Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the decryption program. 2. [ HOW TO RECOVERY FILES? ] To receive the decryption program write to email: notopen@cock.li And in subject write your ID: ID-[redacted 10 hex] We send you full instruction how to decrypt all your files. If we do not respond within 24 hours, write to the email: tryopen@cock.li 3. [ FREE DECRYPTION! ] Free decryption as guarantee. We guarantee the receipt of the decryption program after payment. To believe, you can give us up to 3 files that we decrypt for free. Files should not be important to you! (databases, backups, large excel sheets, etc.) >>>>>>>>>>>>>>>>>>>>>>>>>>>> NOT_OPEN LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<

Everbe 2.0 Ransomware authors demand from $300 to $1500 in BTC (BitCoins) for decryption, but offer to decrypt any 3 files for free. It is worth mentioning, that Everbe 2.0 Ransomware works only on Windows 64-bit versions of OS. Currently, there is no decryption tools available for Everbe 2.0 Ransomware, however, we recommend you to try using instructions and tools below. Often, users remove copies and duplicates of documents, photos, videos - infection may not affect deleted files. Some of removed files can be restored by using file recovery software. Use following tutorial to remove Everbe 2.0 Ransomware and decrypt .EVIL, .NOT_OPEN, .divine, .HYENA, .thunder or .ev3rbe files.

How Everbe 2.0 Ransomware infected your PC

Everbe 2.0 Ransomware uses spam mailing with malicious .docx attachments. Such attachments have malicious macros, that runs when user opens the file. This macros downloads executable from the remote server, that, in its turn, starts encryption process. Virus can also use Remote Desktop services to infiltrate victim's PCs. It is important to know, that this ransomware can encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. It is necessary to control access to network shares. After encryption, the shadow copies of the files are deleted by the command: vssadmin.exe vssadmin delete shadows /all /quiet. Virus assigns certain ID with the victims, that is used to name those files and supposedly to send decryption key. In order to prevent infection with this type of threats in future we recommend you to use SpyHunter and BitDefender Anti-Ransomware.

Download Everbe 2.0 Ransomware Removal Tool

Download Removal Tool

To remove Everbe 2.0 Ransomware completely we recommend you to use SpyHunter from EnigmaSoftware Group LLC. It detects and removes all files, folders and registry keys of Everbe 2.0 Ransomware.

How to remove Everbe 2.0 Ransomware manually

It is not recommended to remove Everbe 2.0 Ransomware manually, for safer solution use Removal Tools instead.

Everbe 2.0 Ransomware files:

!_HOW_RECOVERY_FILES_!.txt
{randomfilename}.exe
Readme if you want restore files.txt
!=How_recovery_files=!.txt
!=How_to_decrypt_files=!.txt
msmdsrv.exe
ntdbsmgr.exe

Everbe 2.0 Ransomware registry keys:

no information

How to decrypt and restore .EVIL, .NOT_OPEN, .divine, .HYENA or .ev3rbe files

Use automated decryptors

Decryption tool #1 - InsaneCryptDecryptor

everbe ransomware decryptor

Although, this tool, released by security researchers Michael Gillespie and Maxime Meignan, is currently able to decrypt only first version of Everbe Ransomware it can be soon updated to decode Everbe 2.0 Ransomware files. To use it, unzip the file, run decryptor, go to Settings -> Bruteforcer, where you need to point the path to 1 encrypted file and its original version and click Start.

Download InsaneCryptDecryptor

Decryption tool #2 - Rakhni Decryptor

kaspersky everbe ransomware decryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .EVIL, .NOT_OPEN, .divine, .thunder, .HYENA or .ev3rbe files. Download it here:

Download Kaspersky RakhniDecryptor

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

If you are infected with Everbe 2.0 Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Phoenix Data Recovery Pro to restore .EVIL, .NOT_OPEN, .divine, .HYENA, .thunder or .ev3rbe files

  1. Download Stellar Phoenix Data Recovery Pro.
  2. Select location to scan for lost files and click Scan button.
  3. Wait until Quick and Deep scans finish.
  4. Preview found files and restore them.

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there is other dates in the list choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses like Everbe 2.0 Ransomware in future

1. Get special anti-ransomware software

Use Bitdefender Anti-Ransomware

bitdefender anti-ransomware

Famous antivirus vendor BitDefender released free tool, that will help you with active anti-ransomware protection, as additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.

Download BitDefender Anti-Ransomware

2. Back up your files

onedrive backup

Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.

3. Do not open spam e-mails and protect your mailbox

spamfighter

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is SpamFighter. It works with various desktop applications, and provides very high level of anti-spam protection.

Download SPAMFighter 5/5 (2)

Please rate this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close