A virus has been detected in the beginning of February, known as Serpent ransomware. The virus is from the file encryption kind, meaning that it encrypts files on the computers it infects, making them no longer available for the user to open. The virus then generates unique decryption keys for the encoded files. After this has happened, Serpent drops two ransom notes – a text file and an .html file. In the event that the victims get infected by the ransomware, experts strongly recommend not to pay any form of ransom. We advise you to read this article carefully to learn what is the best course of action against Serpent ransomware.
More Information about Serpent Ransomware
Serpent ransomware has a set of pre-configured actions which it does after it infects a given computer. The first one is to drop multiple files on the computers infected by it. These files consist of:
- An executable file, named software.exe.
- Another executable with a random name.
- An executable located in the %Temp% directory, named puttyx86.exe.
- Executable file in the %Roaming% folder that has a completely random name.
- A .vbs script file, located in the %Startup% folder.
Serpent ransomware may connect from the infected device to a remote host on 126.96.36.199 to download these malicious files and send information about the infected PC. This data may be the computer’s Windows version, protection software, IP and MAC addresses as well as other information.
Serpent Ransomware’s Encryption
For the encryption process of Serpent, a combination of two encryption algorithms is being used. The cipher for the encryption of the files is known as AES (Advanced Encryption Standard) and it replaces bytes of the file’s source code with symbols, related to the encryption algorithm. Then a unique decryption key is generated. The virus uses additional RSA encryption algorithm to mask the decryption key. This may result in the generating of a unique .KEY file on the victim’s computer. The decryption information is then sent to the cyber-criminals and they become the only ones able to decrypt the files.
For this to happen, Serpent ransomware, uses special pre-configured code to target a wide list of files to encrypt. The files are reported by malware analysts to be of the following kind:
.2011, .2012, .2013, .2014, .2015, .2016, .2017, . 3dm, .7zip, .accd, .accdb, .accde, .accdr, .accdt, .aepx, .agdl, .aiff, .aspx, .back, .backup, .backupdb, .bank, .blend, .btif, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cfdi, .clas, .class, .cntk, .config, .craw, .db-journal, .db_journal, .ddoc, .ddrw, .defx, .design, .djvu, .docb, .docm, .docx, .dotm, .dotx, .dtau, .efsl, .erbsql, .fcpa, .fcpr, .flac, .flvv, .gray, .grey, .groups, .html, .iban, .ibank, .idml, .incpas, .indb, .indd, .indl, .indt, .int?, .intu, .java, .jpeg, .jsda, .kdbx, .kpdx, .laccdb, .lay6, .m2ts, .m3u8, .mbsb, .meta, .mhtm, .mone, .moneywell, .mpeg, .ms11, .myox, .nvram, .pages, .pcif, .php5, .phtml, .plus_muhd, .potm, .potx, .ppam, .ppsm, .ppsx, .PPTM, .PPTX, .prel, .prpr, .psafe3, .pspimage, .ptdb, .qb20, .qbmb, .qbmd, .qcow, .qcow2, .qdfx, .qmtf, .quic, .qwmo, .resx, .s3db, .sikker, .sas7bdat, .save, .seam, .sldm, .sldx, .sqli, .SQLite, .sqlitedb, .tax0, .tax1, .tax2, .text, .tiff, .tt10, .tt11, .tt12, .tt13, .tt14, .tt15, .tt20, .vbox, .vbpf, .vhdx, .vmdk, .vmsd, .vmxf, .wallet, .xhtm, .xlam, .xlsb, .xlsm, .XLSX, .xltm, .xltx, .ycbcra, .zipx
After the encryption process is complete, Serpent ransomware ads the .serpent file extension to the encrypted files, and they become, for example Image.jpg to Image.jpg.serpent.
Serpent ransomware also makes sure the user knows of it’s presence on the infected computer. They are both named “HOW_TO_DECRYPT_YOUR_FILES” and are .txt and .html formats. They have the following content:
How Did This Happen
The infection process of Serpent ransomware is reportedly via e-mail spam that contains malicious attachments. These attachments are malicious, but are presented as something important that the user must open. Some examples are invoices, receipts, bank account activity that is suspicious and others. Once the user opens the attachment after reading the deceitful e-mail, it is already too late.
Remove Serpent Ransomware and Try Getting Back What Is Yours
In the event that you have become affected by this unfortunate turn of events, do not despair. There is still hope. But first, you need to remove this nasty iteration of Serpent ransomware virus from your computer. To do this, we have designed a specific tutorial down below which is to help you during the removal process. In case you lack the experience to manually remove this virus, experts always outline that the best way to remove this ransomware infection is by downloading a specific anti-malware tool for this situation, which will detect and remove all malicious files and clean your PC.
For the file restoration, we have suggested some methods to at least minimize the damage done by this menace. These methods are not fully effective, but they are better than nothing. Before trying them, it is recommended to back up your files and perform regular back up in the future to avoid such unfortunate turn of events in the future.
Booting in Safe Mode
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out Serpent Ransomware in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” fane.
3) Locate the malicious process of Serpent Ransomware, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate Serpent Ransomware‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type Serpent Ransomware or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type Serpent Ransomware Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type Serpent Ransomware in the search field.
Automatic Removal of Serpent Ransomware
Recover files encrypted by the Serpent Ransomware Ransomware.
Method 1: Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.
Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. Dog, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:
Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: