Russian Eda2 Ransomware

Russian Eda2 Ransomware is a serious hit that you should not take lightly if it attacks your computer. In fact, this ransomware infection is a knockoff of an open-source ransomware called Eda2, which seems to be similar to Hidden Tear Ransomware in the sense that both were supposedly created for educational purposes for security specialists. Once this ransomware manages to enter your computer, it encrypts your personal files in the hope of extorting ransom fee from you for the decryption key. This malware infection variant mostly targets Russian computer users as you can assume from its name. Strange as it may sound but there might actually be a silver lining when it comes to this ransomware. In fact, it may be possible that you find information on the web about recovering your files since there are working tools and methods for the original version. Otherwise, your only chance to recover your files and be able to use them again is to pay the ransom fee or to have a backup copy on an external drive that you can transfer back onto your PC. But you should think twice before trusting criminals to deliver you the decryption key. No matter how you decide, it is important for your safety that you remove Russian Eda2 Ransomware immediately.

It is a very unfortunate experience if this infection has found a way to your computer. In order to avoid similar attacks in the future, it is essential for you to know how this ransomware managed to infiltrate your system. Most computer users believe that such malware threats secretly crawl onto their system behind their back. This is not true actually. In most cases it is the user who initiates the drop. One of the main distribution methods for ransomware is spreading them via infectious file attachments that travel in spam e-mails. Contrary to popular belief, spam filters cannot provide you 100% safety from criminals. Spam mails that spread this ransomware, for example, may pretend that they are very important for you to see. It could be a fake invoice, a fine, a mail delivery error, or anything really that can draw your attention and you would consider important to see. The subject lines they use also strengthen this idea of the mail being important or useful. However, when you click on the attached file, which could be a .pdf, .doc, or an image file, you actually drop the malicious executable file of Russian Eda2 Ransomware onto your system. It is possible that some infections will automatically activate themselves but most of the time you need to run the downloaded executable yourself.

As you can see, there is no magic or mystery in this story. You need to click about three times to infect your machine. Therefore, we suggest that you be extra careful when opening mails in your inbox; do not take them for granted. Make sure that if there is an attachment, it was really meant for you. Because if you let this beast onto your PC, you will have no choice: You will need to delete Russian Eda2 Ransomware ASAP.

Another way this dangerous ransomware can sneak onto your system is when you click on fake software updaters. It is possible that there is an adware application on your computer or you visit shady websites where you are introduced to corrupt third-party ads, such as banners and pop-ups. These can be disguised for you to believe that they are system notifications or some authentic warnings. Unsuspecting users may think that they actually need to update their Java or Adobe Flash driver in order to see some content on a webpage, for instance. One click; that is all it takes for you to drop Russian Eda2 Ransomware onto your PC. Please, remember to always update software through their respective official websites. Removing Russian Eda2 Ransomware will not recover your files, which means you may lose them forever unless you get lucky, of course.

Once this ransomware is up and running, it checks if the default language of your computer is set to Russian. If not, this infection automatically uninstalls itself. As we have already mentioned, this ransomware originally and supposedly started out as an educational project whose traces you can still find at github.com/utkusen/eda2. It seems that this project has been abandoned in the past 5 months. However, there has been a couple of knockoffs hitting the web. This means that there may be a number of versions out there, i.e., the ransom notes and the demanded amounts may be different. This ransomware uses the AES-256 algorithm to encrypt your files and targets the following extensions: .txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, and more. As you can see, most of your audio, video, document, and program files get encrypted. These files get a “.locked” extension.

After 2 to 5 minutes the desktop background changes to “ransom.jpg,” which is a scary Russian note about the fact of encryption and that you are supposed to check the "README.html" file that has been dropped onto your desktop. This file contains the instructions for you to follow if you want to use your files again. These criminals do not ask for too much money since the demanded 0.1 BTC (around 58 USD) cannot be considered high at all compared to the usual 100 to 500 USD worth of ransom fees. It is possible therefore that this is just a test run as our experience shows a possible connection between low fees and the targeted Russian region. Russian Eda2 Ransomware places an executable file ("Decrypter.exe") in your %USERPROFILE% folder, which is the decryption tool that you are supposed to use once you get the key. You are given a unique ID that you have to send to the provided e-mail address after you transfer the money. We do not recommend that you pay these criminals but it is entirely up to you. Please consider that you are dealing with criminals and that due to technical errors, such as loss of communication between this infection and the Command and Control server, you may not even get your key. We suggest that you remove Russian Eda2 Ransomware ASAP if you want to restore order on your system.

Keep in mind that even if you eliminate Russian Eda2 Ransomware, your files will not be decrypted. Please follow our instructions below to free your computer of this nightmare. If you have a backup copy of your files, you can start copying them back as soon as your system is all clean. If you are unlucky and have no such option, we recommend that you run a web search on finding recovery options because it may be possible to find ways to help you. If you are not an experienced computer user, we advise you to find a friend who is or consult with a specialist. All this nightmare could have been avoided if you are more careful with your clicks or if you have a decent up-to-date malware removal application installed. Please consider protecting your PC with a reliable security tool if you want real peace of mind.

How to remove Russian Eda2 Ransomware from Windows

1. Tap Win+E.
2. Locate and delete the downloaded malicious .exe file. Find and delete the same file in your %APPDATA% directory. The file name will be random. (NOTE: Some versions may wipe themselves completely after encryption.)
3. Locate and delete "Decrypter.exe" and "ransom.jpg" files from %USERPROFILE%. (Only do this if you are sure that you will not pay the ransom fee!)
4. Bin the “README.html” file from your desktop.
5. Empty your Recycle Bin.
6. Restart your computer.