What is Everbe 2.0 Ransomware

Everbe 2.0 Ransomware is second generation of wide-spread Everbe Ransomware. It is file-encryption virus, that encrypts user files using combination of AES (or DES) and RSA-2048 encryption algorithms and then extorts certain amount in BitCoins for decryption. The initial virus first appeared in March, 2018 and was very active since that time. Security researchers consider, that Everbe 2.0 Ransomware started its distribution on 4th of July 2018. Hackers modify added file extensions and ransom notes from time to time. Here is the list of variations used up to date:

  • .[eV3rbe@rape.lol].eV3rbe
  • .[evil@cock.lu].EVIL (EVIL Locker)
  • .[hyena@rape.lol].HYENA (HYENA Locker)
  • .[thunderhelp@airmail.cc].thunder
  • .[divine@cock.lu].divine
  • .[notopen@cock.li].NOT_OPEN (NOT_OPEN Locker)
  • .[notopen@countermail.com].NOT_OPEN (NOT_OPEN Locker)
  • .[yoursalvations@protonmail.ch].neverdies@tutanota.com (Neverdies Ransomware)
  • .[youhaveonechance@cock.li].lightning (Lightning Ransomware)

Sometimes, malware names itself differently in ransom notes, like EVIL Locker, HYENA Locker, NOT_OPEN Locker. This is made to knock researchers astray, and make it harder for users to determine the type of threat. The ransom notes text files can also have different names: Readme if you want restore files.txt, !_HOW_RECOVERY_FILES_!.txt, !=How_recovery_files=!.txt, !=How_to_decrypt_files=!.txt. All notes have similar content – information to convict users, that files can be decrypted and contact information. Here are examples of some messages from Everbe 2.0 Ransomware:

Lightning Ransomware ransom note:

All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC. There is only one way to get your files back: contact with us pay and get decryptor software. We accept Bitcoin, and other cryptocurrencies, you can find exchangers on bestbitcoinexchange.io

You have unique idkey (in a yellow frame), write it in letter when contact with us. Also you can decrypt 1 file for test, its guarantee what we can decrypt your files. Contact information: primary email: yoursalvations@protonmail.ch reserve email: neverdies@tutanota.com

EVIL Locker ransom note:

>>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<< HELLO, DEAR FRIEND! 1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ] Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the decryption program. 2. [ HOW TO RECOVERY FILES? ] To receive the decryption program write to email: evil@cock.lu And in subject write your ID: ID-xxxxxx We send you full instruction how to decrypt all your files. If we do not respond within 24 hours, write to the email: evillock@cock.li 3. [ FREE DECRYPTION! ] Free decryption as guarantee. We guarantee the receipt of the decryption program after payment. To believe, you can give us up to 3 files that we decrypt for free. Files should not be important to you! (databases, backups, large excel sheets, etc.) >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<

NOT_OPEN Locker ransom note:

>>>>>>>>>>>>>>>>>>>>>>>>>>>> NOT_OPEN LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<< HELLO, DEAR FRIEND! 1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ] Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the decryption program. 2. [ HOW TO RECOVERY FILES? ] To receive the decryption program write to email: notopen@cock.li And in subject write your ID: ID-[redacted 10 hex] We send you full instruction how to decrypt all your files. If we do not respond within 24 hours, write to the email: tryopen@cock.li 3. [ FREE DECRYPTION! ] Free decryption as guarantee. We guarantee the receipt of the decryption program after payment. To believe, you can give us up to 3 files that we decrypt for free. Files should not be important to you! (databases, backups, large excel sheets, etc.) >>>>>>>>>>>>>>>>>>>>>>>>>>>> NOT_OPEN LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<

Everbe 2.0 Ransomware authors demand from $300 to $1500 in BTC (BitCoins) for decryption, but offer to decrypt any 3 files for free. It is worth mentioning, that Everbe 2.0 Ransomware works only on Windows 64-bit versions of OS. Currently, there is no decryption tools available for Everbe 2.0 Ransomware, however, we recommend you to try using instructions and tools below. Often, users remove copies and duplicates of documents, photos, videos - infection may not affect deleted files. Some of removed files can be restored by using file recovery software. Use following tutorial to remove Everbe 2.0 Ransomware and decrypt .lightning or .neverdies@tutanota.com files.

Lightning Ransomware
Everbe 2.0 Ransomware (EVIL Locker variation)
Everbe 2.0 Ransomware (NOT_OPEN Locker variation)

How Everbe 2.0 Ransomware infected your PC

Everbe 2.0 Ransomware uses spam mailing with malicious .docx attachments. Such attachments have malicious macros, that runs when user opens the file. This macros downloads executable from the remote server, that, in its turn, starts encryption process. Virus can also use Remote Desktop services to infiltrate victim's PCs. It is important to know, that this ransomware can encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. It is necessary to control access to network shares. After encryption, the shadow copies of the files are deleted by the command: vssadmin.exe vssadmin delete shadows /all /quiet. Virus assigns certain ID with the victims, that is used to name those files and supposedly to send decryption key. In order to prevent infection with this type of threats in future we recommend you to use SpyHunter 5 or Norton Antivirus.

Download Everbe 2.0 Ransomware Removal Tool

Download Removal Tool

To remove Everbe 2.0 Ransomware completely we recommend you to use SpyHunter 5. It detects and removes all files, folders and registry keys of Everbe 2.0 Ransomware.

How to remove Everbe 2.0 Ransomware manually

It is not recommended to remove Everbe 2.0 Ransomware manually, for safer solution use Removal Tools instead.

Everbe 2.0 Ransomware files:

!_HOW_RECOVERY_FILES_!.txt
{randomfilename}.exe
Readme if you want restore files.txt
!=How_recovery_files=!.txt
!=How_to_decrypt_files=!.txt
msmdsrv.exe
ntdbsmgr.exe

Everbe 2.0 Ransomware registry keys:

no information

How to decrypt and restore .lightning or .neverdies@tutanota.com files

Use automated decryptors

Decryption tool #1 - InsaneCryptDecryptor

everbe ransomware decryptor

Although, this tool, released by security researchers Michael Gillespie and Maxime Meignan, is currently able to decrypt only first version of Everbe Ransomware it can be soon updated to decode Everbe 2.0 Ransomware files. To use it, unzip the file, run decryptor, go to Settings -> Bruteforcer, where you need to point the path to 1 encrypted file and its original version and click Start.

Download InsaneCryptDecryptor

Decryption tool #2 - Rakhni Decryptor

kaspersky everbe ransomware decryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .lightning or .neverdies@tutanota.com files. Download it here:

Download RakhniDecryptor

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

If you are infected with Everbe 2.0 Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Phoenix Data Recovery Pro to restore .lightning or .neverdies@tutanota.com files

  1. Download Stellar Phoenix Data Recovery Pro.
  2. Select location to scan for lost files and click Scan button.
  3. Wait until Quick and Deep scans finish.
  4. Preview found files and restore them.

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses like Everbe 2.0 Ransomware in future

1. Get special anti-ransomware software

Use ZoneAlarm Anti-Ransomware

ZoneAlarm Anti-Ransomware Dashboard
ZoneAlarm Anti-Ransomware Alert
ZoneAlarm Anti-Ransomware Blocked

Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.

Download ZoneAlarm Anti-Ransomware

2. Back up your files

onedrive backup

Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.

Download MailWasher Pro
Previous articleHow to remove GandCrab v5.0.4 Ransomware and decrypt .[random-letters] files
Next articleHow to remove KMSPico virus
James Kramer
James Kramer
https://www.bugsfighter.com
Hello, I'm James. My website Bugsfighter.com, a culmination of a decade's journey in the realms of computer troubleshooting, software testing, and development. My mission here is to offer you comprehensive, yet user-friendly guides across a spectrum of topics in this niche. Should you encounter any challenges with the software or the methodologies I endorse, please know that I am readily accessible for assistance. For any inquiries or further communication, feel free to reach out through the 'Contacts' page. Your journey towards seamless computing starts here
Facebook Twitter Youtube