SOREBRECT Ransomware

SOREBRECT Ransomware is a tremendously malicious infection that is often recognized by a different name, “AKA AES-NI Ransomware.” This infection is known as a file-less threat, which means that it employs a regular system component (in this case, it is the svchost.exe process) and that it can delete itself. The only comforting thing about this threat is that you do not need to worry about its elimination. On the other hand, this threat leaves a mess behind, and that is extremely worrying. If this infection attacks successfully, it encrypts all personal files that are located on your operating system. Although it avoids encrypting .exe, .dll, .lnk, and .sys files, your personal photos and documents are likely to be corrupted. The threat employs the AES (Advanced Encryption Standard) algorithm to corrupt your files, and, unfortunately, there is no way of deciphering it manually. All in all, even if you end up losing your files, you must not forget to remove SOREBRECT Ransomware. Continue reading to learn how to do that.

While most ransomware infections use spam emails to spread, SOREBRECT Ransomware exploits RDP and PsExec vulnerabilities. When the infection slithers in, it should add the “LegalNoticeText” key to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\. The value of this key should include a message regarding the hacking of your server. Here is the full message: “Dear Owner. Bad news: your server was hacked. For more information and recommendations, write to our experts by e-mail. When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software.” After encrypting the files on the computer (the corrupted files should get the “.aes_ni_0day” extension), the malicious SOREBRECT Ransomware should create a file called “!!! READ THIS - IMPORTANT !!!.txt”. Copies of this file are likely to be placed in every folder that contains encrypted files. Besides all that, the ransomware has also been found to stop over 200 different services on the computer. Some of these services are related to security systems, and the ransomware stops them to prevent removal. Others are linked to data backups, and these are stopped to prevent users from recovering their files.

The creator of SOREBRECT Ransomware is not shy about telling you what they want, and they do that using the “!!! READ THIS - IMPORTANT !!!.txt” file. This text file carries a message informing that you need an RSA key to get your files decrypted, and to obtain it, you need to email one of the three emails (0xc030@tuta.io, 0xc030@protonmail.ch, or aes-ni@scryptmail.com) first. The BitMsg program is introduced as an alternative means of communication. According to the ransom note, if you send cyber criminals your ID (it can be found in the ransom note) and the “.key.aes_ni_0day” files located in %PROGRAMDATA%, a decryption key will be provided to you. Unfortunately, that is not how things work. At first, you will be asked to pay a ransom, and it could be quite big. If you choose to pay it in the hopes of retrieving the decryption key, remember that that is unlikely to happen. Unfortunately, the creators of ransomware infections rarely worry themselves with the presentation of decryptors, and, instead, they usually disappear as soon as the ransom payment is complete.

Although SOREBRECT Ransomware deletes itself, there are components that still require removal. First of all, you should look for a file called “$RECYCLE.BIN” in the %HOMEDRIVE% directory. If this file is present, delete it without further hesitation. Also, we recommend deleting all copies of the ransom note file because you do not need this junk on your PC. When it comes to your files, you might have to remove the corrupted copies as well. If your personal files are backed up – for example, on an external drive – you need to make room for them. Needless to say, you should connect to backups and transfer files only after you remove SOREBRECT Ransomware. Unfortunately, decrypting your files without the special private key is currently impossible. To prevent malware from infecting your operating system and encrypting your files in the future, we strongly advise employing trusted anti-malware software.

SOREBRECT Ransomware Removal

1. Simultaneously tap Win+E to launch Explorer.
2. Enter %HOMEDRIVE% into the bar at the top.
3. Delete the file called $RECYCLE.BIN if it exists.
4. Delete all copies of the file called !!! READ THIS - IMPORTANT !!!.txt.
5. Employ Recycle Bin.

N.B. Do not forget to perform a full system scan using a legitimate malware scanner!