What is Everbe 2.0 Ransomware
Everbe 2.0 Ransomware is second generation of wide-spread Everbe Ransomware. It is file-encryption virus, that encrypts user files using combination of AES (or DES) and RSA-2048 encryption algorithms and then extorts certain amount in BitCoins for decryption. The initial virus first appeared in March, 2018 and was very active since that time. Security researchers consider, that Everbe 2.0 Ransomware started its distribution on 4th of July 2018. Hackers modify added file extensions and ransom notes from time to time. Here is the list of variations used up to date:
- .[eV3rbe@rape.lol].eV3rbe
- .[evil@cock.lu].EVIL (EVIL Locker)
- .[hyena@rape.lol].HYENA (HYENA Locker)
- .[thunderhelp@airmail.cc].thunder
- .[divine@cock.lu].divine
- .[notopen@cock.li].NOT_OPEN (NOT_OPEN Locker)
- .[notopen@countermail.com].NOT_OPEN (NOT_OPEN Locker)
- .[yoursalvations@protonmail.ch].neverdies@tutanota.com (Neverdies Ransomware)
- .[youhaveonechance@cock.li].lightning (Lightning Ransomware)
Sometimes, malware names itself differently in ransom notes, like EVIL Locker, HYENA Locker, NOT_OPEN Locker. This is made to knock researchers astray, and make it harder for users to determine the type of threat. The ransom notes text files can also have different names: Readme if you want restore files.txt, !_HOW_RECOVERY_FILES_!.txt, !=How_recovery_files=!.txt, !=How_to_decrypt_files=!.txt. All notes have similar content – information to convict users, that files can be decrypted and contact information. Here are examples of some messages from Everbe 2.0 Ransomware:
Lightning Ransomware ransom note:
All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC. There is only one way to get your files back: contact with us pay and get decryptor software. We accept Bitcoin, and other cryptocurrencies, you can find exchangers on bestbitcoinexchange.io
You have unique idkey (in a yellow frame), write it in letter when contact with us. Also you can decrypt 1 file for test, its guarantee what we can decrypt your files. Contact information: primary email: yoursalvations@protonmail.ch reserve email: neverdies@tutanota.com
EVIL Locker ransom note:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<
HELLO, DEAR FRIEND!
1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ]
Your files are NOT damaged! Your files are modified only. This modification is reversible.
The only 1 way to decrypt your files is to receive the decryption program.
2. [ HOW TO RECOVERY FILES? ]
To receive the decryption program write to email: evil@cock.lu
And in subject write your ID: ID-xxxxxx
We send you full instruction how to decrypt all your files.
If we do not respond within 24 hours, write to the email: evillock@cock.li
3. [ FREE DECRYPTION! ]
Free decryption as guarantee.
We guarantee the receipt of the decryption program after payment.
To believe, you can give us up to 3 files that we decrypt for free.
Files should not be important to you! (databases, backups, large excel sheets, etc.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<
NOT_OPEN Locker ransom note:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> NOT_OPEN LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<
HELLO, DEAR FRIEND!
1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ]
Your files are NOT damaged! Your files are modified only. This modification is reversible.
The only 1 way to decrypt your files is to receive the decryption program.
2. [ HOW TO RECOVERY FILES? ]
To receive the decryption program write to email: notopen@cock.li
And in subject write your ID: ID-[redacted 10 hex]
We send you full instruction how to decrypt all your files.
If we do not respond within 24 hours, write to the email: tryopen@cock.li
3. [ FREE DECRYPTION! ]
Free decryption as guarantee.
We guarantee the receipt of the decryption program after payment.
To believe, you can give us up to 3 files that we decrypt for free.
Files should not be important to you! (databases, backups, large excel sheets, etc.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> NOT_OPEN LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Everbe 2.0 Ransomware authors demand from $300 to $1500 in BTC (BitCoins) for decryption, but offer to decrypt any 3 files for free. It is worth mentioning, that Everbe 2.0 Ransomware works only on Windows 64-bit versions of OS. Currently, there is no decryption tools available for Everbe 2.0 Ransomware, however, we recommend you to try using instructions and tools below. Often, users remove copies and duplicates of documents, photos, videos - infection may not affect deleted files. Some of removed files can be restored by using file recovery software. Use following tutorial to remove Everbe 2.0 Ransomware and decrypt .lightning or .neverdies@tutanota.com files.
How Everbe 2.0 Ransomware infected your PC
Everbe 2.0 Ransomware uses spam mailing with malicious .docx attachments. Such attachments have malicious macros, that runs when user opens the file. This macros downloads executable from the remote server, that, in its turn, starts encryption process. Virus can also use Remote Desktop services to infiltrate victim's PCs. It is important to know, that this ransomware can encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. It is necessary to control access to network shares. After encryption, the shadow copies of the files are deleted by the command: vssadmin.exe vssadmin delete shadows /all /quiet. Virus assigns certain ID with the victims, that is used to name those files and supposedly to send decryption key. In order to prevent infection with this type of threats in future we recommend you to use SpyHunter 5 or Norton Antivirus.
Download Everbe 2.0 Ransomware Removal Tool
To remove Everbe 2.0 Ransomware completely we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders and registry keys of Everbe 2.0 Ransomware.
How to remove Everbe 2.0 Ransomware manually
It is not recommended to remove Everbe 2.0 Ransomware manually, for safer solution use Removal Tools instead.
Everbe 2.0 Ransomware files:
!_HOW_RECOVERY_FILES_!.txt
{randomfilename}.exe
Readme if you want restore files.txt
!=How_recovery_files=!.txt
!=How_to_decrypt_files=!.txt
msmdsrv.exe
ntdbsmgr.exe
Everbe 2.0 Ransomware registry keys:
no information
How to decrypt and restore .lightning or .neverdies@tutanota.com files
Use automated decryptors
Decryption tool #1 - InsaneCryptDecryptor
Although, this tool, released by security researchers Michael Gillespie and Maxime Meignan, is currently able to decrypt only first version of Everbe Ransomware it can be soon updated to decode Everbe 2.0 Ransomware files. To use it, unzip the file, run decryptor, go to Settings -> Bruteforcer, where you need to point the path to 1 encrypted file and its original version and click Start.
Decryption tool #2 - Rakhni Decryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .lightning or .neverdies@tutanota.com files. Download it here:
There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with Everbe 2.0 Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Phoenix Data Recovery Pro to restore .lightning or .neverdies@tutanota.com files
- Download Stellar Phoenix Data Recovery Pro.
- Select location to scan for lost files and click Scan button.
- Wait until Quick and Deep scans finish.
- Preview found files and restore them.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses like Everbe 2.0 Ransomware in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.
