CCEW ransomware aims to lock your files with encryption
Contents
CCEW ransomware virus is a new file-encrypting computer malware variant from STOP/DJVU ransomware gang. The virus has already been embedded in diverse pirated versions of popular software content. The method used by those behind it is to upload the malware-carrying software on platforms such as online malicious torrents, and once they’re downloaded into random computers, it will encrypt files contained in them. The cybercriminals would then demand for ransom fees in exchange for decryption tools. Meanwhile, to identify files that have been encrypted by the virus, .ccew extension will be appended to the respective file names. In other words, files with names like 1.jpeg or 2.jpg now becomes 1.jpeg.ccew or 2.jpg.ccew.
This computer virus is highly sophisticated and aims to extort the computer user after taking all data hostage. Since files we keep on our personal or work computers are important (either work, study related or simply personal memories), cybercriminals expect that the user will comply with their demands.
The virus drops ransom-demanding notes
While the cyber-attack is still ongoing, ransom messages known as _readme.txt would also be dropped. It would inform the victim about what has just taken place and why they have to pay the ransom before they would be able to restore their files by using a decryption tool that would be provided by the cybercriminals. To facilitate further discussions, they would equally forward two email addresses (support@bestyourmail.ch and datarestorehelp@airmail.cc). In situations where the victim reaches out to the perpetrators using any of the two emails, they will be notified that $980 has to be paid as a ransom fee.
However, a 50% ransom fee slash could be available if payment would be made within 72 hours of getting a go-ahead order, but failure to pay within that time frame nullifies the ransom fee slash offer.
To make the matters even more complicated for the victim, the cybercriminals would also state that ransom payment can only be made by purchasing cryptocurrency equivalence of the stated fee and transferring same to their private wallet address. They avoid other conventional payment methods because their real identities would be exposed.
Regardless of the pressure, victims of cyber-attack are advised never to comply with the demands of cybercriminals. Likewise, trying to communicate with them is strongly discouraged as well. This recommendation was put forward by the FBI and is supported by other reputable cyber-security organizations across the world. The reasons they gave are reproduced below:
- Ransom payment puts the victim at elevated risk of future attacks by cybercriminals because they’re naturally greedy.
- There is no point in paying ransom fee when there is no guarantee that your encrypted files will be decrypted.
- When victims pay ransom, they are practically funding their criminal enterprise by making it profitable.
Beware of additional malware dropped
Computer users should note that even though more attention is paid to the primary malware – the ransomware, other secondary malware codenamed RATs are also often attached alongside. RAT stands for Remote Access Trojan and is used by cybercriminals to steal sensitive personal data. They may include banking details, cryptocurrency wallets, passwords, browsing history, software login details, etc. The danger is that victims may not even be aware that such pieces of information have been stolen and would be used to commit further crimes against them. Two of such threats that travel alongside this ransomware are known under VIDAR and AZORULT names.
That is why it is very important to remove CCEW ransomware virus as soon as it is found in any computer. There are diverse removal methods but the best is by setting up the computer through Safe Mode with Networking login option before activating an antivirus software. You’re advised to make use of only genuine antivirus software that has a track record of effectiveness.
The use of repair tools like RESTORO should also be considered in cases where the Windows Operating Systems have been significantly affected while the cyber-attack was going on.
Ransomware Summary
| Name | CCEW Ransomware Virus |
| Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
| Family | STOP/DJVU |
| Encryption type | RSA 2048 + Salsa20 |
| Previous versions | JYPO, KIFR, KIOP, KITZ, BOZA, BOTY, COZA (find full list here) |
| Version | 535th |
| Extension | .ccew |
| Cybercriminal emails | support@bestyourmail.ch, datarestorehelp@airmail.cc |
| Additional malware dropped | Azorult or Vidar Trojan |
| Damage | The ransomware uses encryption to maliciously modify all files on the PC and marks their original names with .ccew extension. Ransom notes called as _readme.txt will be dropped in every computer folder. This piece of malware usually drags VIDAR Stealer alongside it and also eliminates VSS from the system. On top of that, it tends to modify Windows HOSTS file to restrict computer user’s access to cybersecurity-related websites online. |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 in Bitcoin |
| Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico. |
| Known software cracks to contain this malware | Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends. |
| Detection names | Ransom:Win32/StopCrypt.PAL!MTB (Microsoft), Trojan.Crypt (A) (Emsisoft), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky), Trojan.GenericKD.47850419 (BitDefender), Trojan.MalPack.GS (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal |
| Removal | Remove ransomware and related malware from your PC using trustworthy software. To repair virus damage on Windows OS files, consider scanning with RESTORO (secure download link). |
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
The image below demonstrates how encrypted files appear in a folder along a ransom note.
The need to take proactive measures against ransomware
Cybercriminals are always on the lookout for ways through which they could take computer users unawares. That is why it is imperative for one to always shun certain unwholesome activities that put their computer at increased risk of ransomware virus infection. Therefore, trying to use peer-to-peer software sharing channels, the indiscriminate opening of emails and attachments (particularly when the originating source is not known or spooked), browsing online torrent platforms, etc. should all be avoided. Unsolicited emails with attachments that have click-bait titles/tags should be considered a red flag and deleted at source.
From our studies over the years, we have been able to notice that cybercriminals often target popular software content. They know that some software users don’t like paying the fee requested by the original content producers, instead, they would be looking for alternative ways they can download them at little or no cost at all. This is what prompts them to pirate such popular software contents, embed them with malware and use them as bait to get their victims. We have compiled a list of such highly demanded software contents as shown below:
- Adobe Photoshop;
- Fifa 20;
- Adobe Premiere Pro;
- Adobe Illustrator;
- Corel Draw;
- VMware Workstation;
- AutoCad;
- Cubase;
- Tenorshare 4ukey;
- League of Legends;
- Internet Download Manager.
From the experiences of other victims, we have realized that trying to make use of cloned software contents could result in severe losses. Some victims that tried to “save cost” in the past by not paying the official fees requested by the copyright owners ended up losing a more in terms ransom fee or lost data, time, or psychological trauma when they became victims of ransomware attack. In addition to the associated risks, those that patronize these illegal channels of distribution are harming the IT industry. On the contrary, we encourage users to always source for their software needs by using the official channels of distribution recognized by the copyright owners.
It should also be noted that files such as DOCX, PDF or XLS among similar ones are often used by cybercriminals in their activities. They often exploit their macro functionalities which enable them to embed malware and also trigger them in diverse other computers. Although these files were created with noble intents but cybercriminals are now using them as well to constitute nuisance.
For those that are victims of CCEW ransomware virus already, it would be in your best interest to shun websites that make bogus claims of having decryption solutions. So far, we can only vouch for tools by Emsisoft and DiskTuna as the only helpful ones that produce sufficiently good results.
Tips to remove CCEW ransomware virus safely and what to do next
Before we call it a day, there is a need to reiterate that using Safe Mode with Networking option when removing CCEW ransomware virus, produces the best result. In addition to that, the use of antivirus with proven track record is highly recommended. In addition, our team advises downloading RESTORO (see its review here) to identify and repair virus-damaged Windows OS files automatically.
After removing CCEW ransomware virus, there are other steps you are supposed to take as well, please check below:
- Passwords used in the compromised computer should be changed ASAP.
- Report the incident to local police or relevant government agency.
- Replace lost files using any available backup device.
- In situations where backup is not available, you may consider if there are possible tools that could be used in restoring the damaged files.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
CCEW Ransomware Virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove CCEW Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove CCEW Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt CCEW files
Fix and open large CCEW files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the CCEW extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. CCEW Ransomware Virus is considered the new STOP/DJVU variant, just like JYPO, KIFR, KIOP, KITZ, BOZA, BOTY, COZA (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt CCEW files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work. - Click Decrypt to start restoring CCEW files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The CCEW decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your CCEW extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of CCEW Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open CCEW files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official CCEW decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake CCEW decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply