UmbreCrypt Ransomware

Posted by Lisa Blanc on March 1, 2016

What is UmbreCrypt Ransomware?

Depending on the way you look at it, UmbreCrypt Ransomware could be your worst nightmare, but there is no need to panic if you got infected by this ransomware application. Unlike other extremely annoying and dangerous ransomware infections, UmbreCrypt Ransomware does not leave you without a way out. It is possible to decrypt the files affected by this infection without paying the ransom fee. Also, do not forget to remove the actual malicious program from your computer because you have to take care of the original perpetrators. If you need any customized help with the malware removal, please do not hesitate to contact us by leaving a comment below this description. test test test

Where does UmbreCrypt Ransomware come from?

The ransomware program comes from the same group of malicious infections as HydraCrypt ransomware. This would also suggest that UmbreCrypt Ransomware gets distribution in a similar fashion. Keeping in mind that HydraCrypt has been spreading via exploit kits, it would probably be a good idea to avoid suspicious websites and various pages full of shady content. It is a lot easier to get infected with malware than you might think. All you have to do is click an infected flash advertisement or get redirected to a third-party page that eventually lands you on the exploit’s ground zero.

What’s more, some computer security experts believe that this infection might also be spreading via remote desktop connection. That is, there have been suggestions saying that UmbreCrypt Ransomware could be distributed directly. However, these claims have not been proven yet, so all means of precaution should be applied when dealing with potential infection.

What does UmbreCrypt Ransomware do?

UmbreCrypt Ransomware does a lot of nasty things, and all of that is done in order to help its creators make easy money. Once the Trojan infection that unleashes the program’s payload enters your computer, it scans your system for the file extensions that the ransomware program encrypts. According to our research, the program affects an extensive list of file extensions, including: .dim, .diy, .dna, .dov, .dpb, .dsb, .fbc, .fbf, .fbk, .fbu, .fbw, .fh , .fhf, .flka, .flkb, .fpsx, .ftmb, .ful, .fwbackup, .fza, .fzb, .gb1, .gb2, .gbp, .ghs, .ibk, .icbu, .icf, .inprogress, .ipd, .iv2i, .jbk, .jdc, .kb2, .lcb, .llx, .mbf, .mbk, .mbw, .mdinfo, .mem, .mig, .mpb, .mv_, .nb7, .nba, .nbak, .nbd, .nbf, .nbi, .nbk, .nbs, .nbu, .nco, .nda, .nfb, .nfc, .npf, .nps, .nrbak, .nrs, .nwbak, .obk, .oeb, .old, and many others.

The files are encrypted using the AES encryption method. It is a symmetric encryption method, which means that the key that has been used to encrypt the files can also be used to decrypt them. The problem is that most of the ransomware applications encrypt the key itself as well, thus preventing users from making use of it. To make matters worse, this AES encryption key is often encrypted using the RSA cryptosystem that is often considered even harder to crack.

Luckily, computer security experts have already come up with the decryption method for UmbreCrypt Ransomware, which you can find on computer software websites, but that does not mean the infection is any less scary.

Upon the installation, the ransomware will display a notification that will claim you have only 72 hours to decrypt your files. To decrypt your files, you will be asked to contact the people behind this infection via umbredecrypt@engineer.com or umbrehelp@consultant.com. This shows that the only way to find out the actual ransom amount required is to send the infection notification mail.

Nevertheless, we believe that in some cases UmbreCrypt Ransomware may not be able to provide secure server connections, and that would result in the inability to provide users with the decryption key. It goes without saying that paying the infection is out of the question, especially as there is already a way to decrypt the files.

How do I remove UmbreCrypt Ransomware?

When your computer gets infected with malware, the thing you have to do is remove it. Naturally, not all users are well-versed enough to perform a manual removal, but that is also not as challenging as one might think.

You can try out the removal instructions below to terminate all the files and registry entries that belong to this infection. If you are not confident you can do it, please delete UmbreCrypt Ransomware with a licensed antispyware tool. Also, make sure your computer has real-time protection against dangerous intruders.

UmbreCrypt Ransomware Removal

Delete Registry Values

Press Win+R and enter regedit.
Click OK and go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows.
Delete the following values (on the right):
ChromeRandomAdress3264 REG_SZ havuwifi.exe
ChromeSettiings3264 REG_SZ C:\Users\user\AppData\Roaming\ChromeSetings3264\*.exe
ChromeStarts3264 REG_SZ C:\Users\user\AppData\Roaming\ChromeSetings3264\*.exe
MicrosoftUpd32 REG_SZ dENx7zcCXtZSkoqHQUxNxBnA5aM2QvK7Ko6fLx2PrnwaKhG2kMmmv6IW9a5VwqKrzUW6LwBloHwWfLRv627KSaWHcXGP5FKVTyzmqRS5

N.B: *.exe is an executable file that has a randomly generated name. This name should be the same for all the files in the ransomware’s registry entries.

Delete Registry Keys

Press Win+R and type regedit into the Open box.
Press Enter and navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.umbrecrypt_ID_*.
Remove the .umbrecrypt_ID_* key.
Go to to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.umbrecrypt_ID_*.
Erase the .umbrecrypt_ID_* key.

N.B: .umbrecrypt_ID_* ends in a unique user ID given by the ransomware to your computer.

Remove UmbreCrypt Ransomware Files and Folders