What is Sojusz Ransomware
Sojusz is the name of a ransomware infection. It belongs to the Makop ransomware family that designs a number of different file encryptors. Sojusz blocks access to data and demands money for its decryption. The research showed it highlights encrypted files by assigning a random string of characters, ustedesfil@safeswiss.com email address, and the .sojusz extension. Latest versions of Sojusz used following extensions: .bec, .nigra, .likeoldboobs (HORSEMAGYAR Ransomware), .[BillyHerrington].Gachimuchi (Gachimuchi Ransomware), this means a file like 1.pdf
will be changed to 1.pdf.[fd4702551a].[ustedesfil@safeswiss.com].sojusz
and become no longer accessible. After all targeted files end up encrypted this way, the virus creates a text file called —–README_WARNING—–.txt (later versions created also: !!!HOW_TO_DECRYPT!!!.txt, Horse.txt, README_WARNING_.txt and #HOW_TO_DECRYPT#.txt ransom notes).
::: Greetings :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.
.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us
.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
.4.
Q: How to contact with you?
A: You can write us to our mailboxes: ustedesfil@safeswiss.com or ustedesfil@cock.li or votredatei@ctemplar.com
(in subject line please write your MachineID: - and LaunchID: -)
.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.
.6.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.
:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss of all data.
::: Hello my dear friend :::
Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted
If you want to restore them,write to our skype - HORSEMAGYAR DECRYPTION
Also you can write ICQ live chat which works 24/7 @HORSEMAGYAR
Install ICQ software on your PC hxxps://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ
Write to our ICQ @HORSEMAGYAR hxxps://icq.im/HORSEMAGYAR
If we not reply in 6 hours you can write to our mail but use it only if previous methods not working - horsemagyar@onionmail.org
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* We are always ready to cooperate and find the best way to solve your problem.
* The faster you write, the more favorable the conditions will be for you.
* Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of them
We respect your time and waiting for respond from your side
tell your MachineID: - and LaunchID: -
Sensitive data on your system was DOWNLOADED.
If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.
Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Private financial information including: clients data, bills, budgets, annual reports, bank statements.
- Manufacturing documents including: datagrams, schemas, drawings in solidworks format
- And more...
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
=========================================================================================
Your files are NOT damaged! Your files are modified only. This modification is reversible.
The only 1 way to decrypt your files is to receive the private key and decryption program.
Any attempts to restore your files with the third party software will be fatal for your files!
==========================================================================================
To receive the private key and decryption program follow the instructions below:
1. Write to our skype - Gachimuchi DECRYPTION
Also you can write ICQ live chat which works 24/7 @Gachimuchi
Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ
Write to our ICQ @Gachimuchi https://icq.im/Gachimuchi
If we not reply in 6 hours you can write to our mail but use it only if previous methods not working - gachimuchi@onionmail.org
2. Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of them
We respect your time and waiting for respond from your side
tell your MachineID: {redacted} and LaunchID: {redacted}
The text file is meant to explain decryption instructions. It says victims have to contact cyber criminals at one of the attached e-mail addresses (ustedesfil@safeswiss.com, ustedesfil@cock.li, or votredatei@ctemplar.com) and pay a so-called ransom. While writing a message, it is important to include MachineID and LaunchID from the text note. As an additional guarantee, cybercriminals offer to send 2 low-size and non-valuable files and receive them decrypted for free. This is a trick designed to stimulate victims into paying the ransom. After paying the ransom, swindlers promise to send a scanner-decoder program that will unlock access to data. Unfortunately, this is not always the case – some crooks tend to forget or fool their victims intentionally. Despite this, decrypting data using third-party tools is almost impossible. You can give it a try, but there is no guarantee it will actually work. For now, the only best option to avoid paying the ransom is to recover your files from backup copies. Note that prior to trying any recovery options, it is important to delete the virus first. Otherwise, it may resume its encryption and spread onto other devices from the local network. All the removal instructions and restoration options are in the article below.
How Sojusz Ransomware infected your computer
Ransomware infections are commonly spread via phishing techniques. One of the vectors embodying this technique is e-mail spam letters. Such letters are often disguised as something legitimate carrying some “important” or “urgent” information. They may convince you to open Word, Excel, JavaScript, RAR, ZIP, or PDF attachments to view or install something. Alternatively, such messages may also impose malicious links leading to download pages of fake software. Beware of this and do not trust letters categorized as spam. The distribution of ransomware does not come down to only one channel. It can also be spread using trojans, unprotected RDP configuration, fake software updates/installers, suspicious files, backdoors, keyloggers, and dozens of other dubious methods. Whatever it is, ensuring PC protection lies on your shoulders – learn how to improve it and dodge such infections in the future using our tutorial below.
- Download Sojusz Ransomware Removal Tool
- Get decryption tool for .sojusz, .likeoldboobs or .Gachimuchi files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like Sojusz Ransomware
Download Removal Tool
To remove Sojusz Ransomware completely, we recommend you to use SpyHunter 5. It detects and removes all files, folders, and registry keys of Sojusz Ransomware. The trial version of Spyhunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove Sojusz Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of Sojusz Ransomware and prevents future infections by similar viruses.
Sojusz Ransomware files:
!!!HOW_TO_DECRYPT!!!.txt
Horse.txt
README_WARNING_.txt
#HOW_TO_DECRYPT#.txt
-----README_WARNING-----.txt
{randomname}.exe
Sojusz Ransomware registry keys:
no information
How to decrypt and restore .sojusz, .likeoldboobs or .Gachimuchi files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .sojusz, .likeoldboobs or .Gachimuchi files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .sojusz, .likeoldboobs or .Gachimuchi files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with Sojusz Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .sojusz, .likeoldboobs or .Gachimuchi files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like Sojusz Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. Sojusz Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.