Resurrection Ransomware

Posted by Max Lehmann on June 20, 2017

What is Resurrection Ransomware?

Resurrection Ransomware is yet another ransomware based on the Hidden-Tear project. However, like Decryption Assistant Ransomware that we analyzed recently, this new ransomware is also only partially working. Apparently, both of these programs are experiencing problems but, nevertheless, it does not mean that Resurrection Ransomware is going to remain harmless. It has the potential to encrypt your personal and demand money to have them decrypted. Therefore, you ought to remove this ransomware as soon as possible before it is updated and fully functional. For more information, please read this whole article.test

What does Resurrection Ransomware do?

Our malware analysts at Anti-spyware-101.com have acquired a sample of this ransomware and tested it. They have found that this ransomware uses the AES encryption algorithm. However, they have found that the C&C server is down, so this ransomware is currently incapable of encrypting your files. However, if this ransomware's C&C server was to come back online, then it would contact to the server once your PC is infected and receive the encryption key and encrypt your files using the AES encryption algorithm. It would also append the files with a ".resurrection" file extension while encrypting the files. Researchers say that Resurrection Ransomware is capable of encrypting several hundred file types so, basically, this ransomware can encrypt most of your personal files. Once the encryption is complete, this ransomware will drop the ransom note and the “.key” file.

The ransom note comes in an HTML file, and it also has an audio source in its code ("http://topalbums.biz/file/8999896.mp3") that plays a little song while open. The ransom note is named README.html and is placed on the desktop and in %HOMEDRIVE% and %USERPROFILE% folders. The ransom note states that the cyber criminals that created this ransomware want you to pay 1.77 BTC which is 3,918 USD or 3,500 EUR. The developers are very greedy, so paying the ransom is uneconomical, at least for most casual PC users. You would be required to send the coins to a provided Bitcoin wallet address. Note that the ransom note is dropped regardless of whether this ransomware encrypts the files, so do not make hasty decisions and pay the ransom. You would receive the key by contacting the developers via the provided email address.

Where does Resurrection Ransomware come from?

As indicated in the introduction, Resurrection Ransomware is part of the Hidden-Tear ransomware family that also includes the recently released Decryption Assistant Ransomware as well as several programs released much earlier that include Kill Zorro Ransomware, Angleware Ransomware, Redants Ransomware, and several others. As you can see, he Hidden-Tear ransomware family has many new additions even though the original creators of the Hidden-Tear project have since discontinued it. Apparently, someone else is still using the source code to develop new programs in an effort to make more money.

As far as this ransomware’s distribution methods are concerned, our researchers have found that Resurrection Ransomware is being distributed though email spam, so you can receive a fake email with an attached file. The email can be disguised as something legitimate or not provide you with any information whatsoever. If you open and run the attached file that is this ransomware’s main executable, then it will attempt to encrypt your files but fail.

How do I remove Resurrection Ransomware?

If you were lucky enough to get your PC infected with Resurrection Ransomware and not some ransomware that can actually encrypt your files, then all you have to do is remove it from your computer, and you do not have to worry about decrypting your files. However, even though this new ransomware is only half finished, it might be finished at some point and actually start encrypting files. If you want to delete it manually, please check the guide below, but if you experience any problems, you can use an anti-malware program such as our featured SpyHunter anti-malware application.

Removal Guide

  1. Press Win+E keys.
  2. In File Explorer’s address box, type the following file paths.
    • %USERPROFILE\Downloads
    • %USERPROFILE\Desktop
    • %TEMP%
  3. Press Enter.
  4. Locate this ransomware, right-click it and click Delete.
  5. Then, Enter the following paths in the address box and hit Enter.
    • %HOMEDRIVE%
    • %USERPROFILE%
  6. Locate README.html and and click Delete.
  7. Lastly, go to the desktop and delete README.html and Recovery.key
  8. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Resurrection Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *