Azer Ransomware

Azer Ransomware (also known as Powerstateoff Ransomware) is a malicious threat that is believed to come from the CryptoMix family. This family is well-known for such infections as CryptoShield Ransomware and Revenge Ransomware. According to the latest research, this infection operates offline, which means that it does not communicate with remote servers to get the encryption key and then send the decryption key. Of course, it is unlikely that it would slither into the operating system without Internet connection. That is because the threat is most likely to be spread via malicious spam email attachments, unsafe RPD ports, malicious installers, and using exploits. The infiltration of the ransomware and the encryption that it performs are both silent, and so the victim of the threat is most likely to discover it only after the files are encrypted. Is it possible to decrypt the files corrupted by this malware? Unfortunately, that is unlikely, and so if this infection has not invaded your operating system yet, we suggest taking all security measures. If the infection has invaded your PC and encrypted your files, you need to read this report. If you do, you will learn how to remove Azer Ransomware manually.

The way Azer Ransomware operates is quite peculiar. Instead of locking the screen and showing scary notifications, this threat uses a simple TXT file called “_INTERESTING_INFORMACION_FOR_DECRYPT.TXT”. This file does not present a lot of information. In fact, it simply states that your files were encrypted and that you need to email webmafia@asia.com and donald@trampo.info to get them decrypted. Besides that, a unique identifier (a combination of letters and numbers) is attached below. That is all that you get from the infection. Although the message is pretty vague, it is obvious that the developer of Azer Ransomware wants you to contact them via email. What happens if you do? They then get the chance to introduce you to ransom demands. It is not known whether the ransom is the same for every user, and we cannot tell whether it is big or small. What we can tell you is that paying the ransom and fulfilling other demands that might be introduced to you is a bad idea. Whether you delete the infection right away or follow the instructions, it is unlikely that you will get your files back. That is why we hope that your personal files are backed up, and the prospect of losing them does not bother you.

The files that are encrypted by Azer Ransomware are also renamed to make it difficult for you to recognize them, and it adds the “-email-[webmafia@asia.com].AZER” extension to every file to make it clear which ones were encrypted. According to our analysis, the infection uses 10 different RSA-1024 public keys. When the encryption happens, one of these keys is chosen to encrypt the AES key that is used for the encryption. A POE entry is created in HKCU\Software\Microsoft\Windows\CurrentVersion\RUN, and so the ransomware starts running even if your restart the computer. That suggests that the threat might be able to encrypt new files if you have created them after the initial encryption attack. When it comes to the files, Azer Ransomware targets files with specific extensions, and they are most likely to represent photos, archives, media files, and other personal-type data. If you have backups, you can recover the files with no problem. Of course, you need to remove the ransomware first. If a backup system is not set up, you might end up losing your files.

The removal instructions below show how to delete Azer Ransomware manually. Keep in mind that the launcher has a random name, and it might have been placed in any directory. Of course, if you have downloaded it yourself, it should be easier for you to find it. The RUN keys are random as well, and so you have to be cautious so as not to erase any harmless entries. If manual removal is too complicated for you, you have the option of installing anti-malware software, and our research team believes that this is the best option. Why? That is quite simple: Anti-malware software can remove Azer Ransomware automatically and then restore your system’s protection, which is important to keep it guarded against malicious infections in the future. If you want to discuss the threat further, please use the comments section to start a discussion.

Azer Ransomware Removal

1. Right-click and Delete the {unknown name}.exe launcher file (the name and location are random).
2. Right-click and Delete all copies of the _INTERESTING_INFORMACION_FOR_DECRYPT.TXT file.
3. Launch RUN by tapping keys Win+R and then enter regedit.exe to open Registry Editor.
4. In the pane on the left navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\RUN.
5. Right-click and Delete two {unknown name} values that represent the ransomware (the value data of these values should point to {unknown name}.exe in %AppData%. This file must be Deleted as well!).
6. Empty Recycle Bin and then quickly perform a full system scan to check for malicious leftovers.