Easy ransomware originates from Phobos family
Contents
Easy ransomware is a malicious computer virus that belongs to Phobos cyber crime group. Once executed on the system, this virus encrypts all personal files and adds an .id[unique-id].[easybackup@aol.com].easy extension to its original filename. For example, file called document.docx will become document.docx.id[P313FF41-8162].[easybackup@aol.com].easy after the attack. The virus infects local system and network shares, then drops info.hta and info.txt ransom notes in each affected folder and launches the .hta note version on the screen.
In this guide, we will explain how to remove this ransomware from the system, and what you should do next.
The virus demands ransom from the victim for data decryption
Easy ransomware operators inform the victim that all data is “protected” with RSA-1024 algorithm. According to the note, computer’s security system was vulnerable, which led to a malware intrusion and complete file encryption. If the victim wants to decrypt files, the note recommends writing to the cybercriminals via provided email address, identical to the one appended to file names: easybackup@aol.com. The note instructs to put victim’s unique ID in the file subject. If the victim receives no answer within 24 hours, the criminals recommend reaching them via their Telegram account called @easybackup.
The note also instructs not to damage or rename encrypted .easy files if the victim wants to open them ever again. Just like typical ransomware developers, operators behind this Phobos variant suggest decrypting up to 5 files (not exceeding 5 MB in size, non-archived) for free. Additionally, criminals state that they won’t decrypt databases, spreadsheets (XLS) and other file formats that are likely to contain information of highest importance to the victim. This is done to prevent test decryption on files that are the most valuable for the victim and might deter the victim from paying the ransom altogether.
The only aim of this virus is to take your personal files hostage without leaving to chances to restore files for free. That said, it is important to mention that this ransomware runs several command line tasks to delete Volume Shadow Copies from the system. In this scenario, the victim loses all chances to restore system from a restore point.
Keeping this ransomware virus or its remains on the system causes great danger for further intrusions. That said, we recommend removing the malware using a professional tool. After that, we strongly recommend scanning with after-care software, such as RESTORO to eliminate virus damage on Windows OS files.
Name | Easy ransomware virus |
Type | Ransomware; File Locker; Crypto-malware |
Origins | Phobos |
Activity | Encrypts all files on the system, deletes Volume Shadow Copies, bypasses system security settings |
Encryption type | RSA-1024 |
File marker | .id[unique-id].[easybackup@aol.com].easy |
Criminal contacts | easybackup@aol.com, Telegram account: @easybackup |
Distribution | Email spam campaigns, illegal downloads, infectious websites and fake ads |
Removal | Remove using professional AV or malware removal software. For virus damage repair, we recommend using RESTORO. |
It is important to note that we do not recommend paying a ransom for ransomware developers. This never guarantees full data recovery, besides, the criminals might disappear as soon as they convince you to transfer the money. Money is the primary thing that they want, and your satisfaction or file recovery often isn’t exactly part of their plan.
Besides, if you decide to pay up, criminals will surely identify you as a potential victim to target again. They will think that you have money and you are willing to spend it to recover your files. That said, they might try to send you deceptive emails, deliver you phishing links and similar.
Phobos ransomware family is one of the largest cryptography-based malware variants out there today, among families like STOP/DJVU or DHARMA. These viruses have raked up massive sums of money for their developers. Do not support these criminals by spending your hard-earned money.
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Ransomware distribution in a nutshell
Ransomware-type viruses like Easy are distributed in a slightly different manner than the majority of computer viruses. Developers of this specific ransomware spread it via hacked Remote Desktop (RDP) connections. That said, the cybercriminals target computers with weak RDP security. If you have a computer at home or your company with RDP necessarily enabled, you should disable it. If you do need to use it, make sure that you secure it with robust credentials.
Another common ransomware distribution technique is malicious email spam. In this scenario, criminals send out thousands of deceptive emails with attachments to potential victims. These letters are often designed to look like they’re sent by a respectable company or service, and include a suggestion to view attached contents as well as send a “reply” soon. Examples of such email patterns are “view invoice – reply back” scenario, “you have a missing/pending payment to review,” “track your parcel – click tracking link or view attached details” and similar ones. Be very suspicious of any emails containing attachments, make sure to check for any questionable details (grammar mistakes, email address correctness, whole design). In general, we advise staying away from emails you didn’t wait for, or those that fall into spam/junk folders.
Finally, many ransomware-type threats proliferate via torrents that can be downloaded via peer-to-peer download agents such as uTorrent or BitTorrent and similar. While these programs themselves aren’t malicious, they are used to share files between many users. In addition, the security of these files aren’t checked by these programs, only by antivirus programs and other security products installed on end hosts (user’s computer). Unfortunately, many users tend to ignore AV alerts when downloading software cracks and similar content, which often results in disastrous computer infection. Our recommendation is to get the content you want from legitimate sources only, ideally, from the original creator’s/vendor’s website.
Remove Easy ransomware virus and decrypt your files
Victims infected with the described virus should remove Easy ransomware as soon as possible. Delaying the removal procedure can cause even more damage, especially if the attack was carried out using hacked RDP ports. You should uninstall the ransomware remains using professional anti-malware. Then, run a scan with software like RESTORO to eliminate virus damage on Windows OS. Finally, make sure you secure the RDP connections or disable them at all.
After completing Easy ransomware removal, you can use your data backups (created prior to the cyber crime incident) and start importing them to your computer.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software.
REMOVE THREATS WITH ROBUST ANTIVIRUS
Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.
Use INTEGO Antivirus to remove detected threats from your computer.
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
Easy ransomware virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove Easy ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Scott Bolton is a senior content strategist in our Geek’s Advice team. He is exceptionally passionate about covering the latest information technology themes and inspire other team members to follow new innovations. Despite the fact that Scott is an old-timer among the Geeks, he still enjoys writing comprehensive articles about exciting cybersecurity news or quick tutorials.
Leave a Reply