UmbreCrypt Ransomware

UmbreCrypt Ransomware seems to be a new variant of HydraCrypt Ransomware, and it could be your biggest nightmare that has ever attacked your computer. But before you get too scared, let us tell you the silver lining right away. Yes, there is a silver lining even though this Trojan may be a rather dangerous malware infection to slither onto your computer. This ransomware encrypts most of your files on your computer and offers you software to decrypt them for a certain amount of money or ransom fee (usually a few hundred dollars) you are supposed to transfer to the criminals behind this vicious scam. However, it seems that the “God of IT” is on your side this time and you can actually find a working tool on the net to decrypt your precious files for free. But, of course, it does not mean that this infection is not at all risky to have on board. On the contrary, you must remove UmbreCrypt Ransomware immediately, if you plan to use your computer in the future. Let us explain about this malicious program in more detail.

One of the most important thing about this Trojan and any other similar ransomware infection is how you can get infected with them. Knowing this you may be able to prevent such “nasties” from landing on your PC. One of the most frequent methods is most probably the use of spam e-mails. Of course, today’s spam filters are very sophisticated and can weed out most of the potentially malicious mails; however, cyber criminals seem to be always at least one step ahead. This means that they can, for example, make you believe that you have received a mail from a legitimate or official sender. It is also possible that more sophisticated Trojans can pretend to originate from someone from your contact list. Obviously, the reason behind this deception is to get you to open the mail, let alone not to end up in the spam or trash folders. You need to be very careful when it comes to opening mails. It is possible that you get your computer infected by simply clicking on an e-mail in your inbox list. Of course, it is more likely that, for example, this Trojan ransomware is spread through infected links in the body of the spam mail or a corrupted attachment file, which can be an image or video most commonly. Clicking on these can trigger this Trojan to drop onto your operating system. And once it is there, it will only need a few minutes at most to destroy all your files.

There are, of course, other ways for such a vicious infection to enter your computer without your knowledge. It is possible that you end up on a malicious website while searching the web for free software or any other free product. Either loading such page or clicking on unsafe third-party content, such as banner and pop-up advertisements, may lead to downloading this Trojan. Therefore, we advise you to stay away from such websites (suspicious torrent, freeware, and pornographic pages) and refrain from clicking on third-party ads as well. We have also read reports about a possible manual installation of this ransomware through remote desktops, for example. All in all, you should delete UmbreCrypt Ransomware as soon as you realize that your computer is under attack by this malicious program.

This Trojan has to be taken very seriously because it is capable of encrypting over 400 file extensions, including .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .zip, .scan, .qdf, .gdb, .tax, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, flv, .js, .css, .rb, .png, .txt, .raw, .raf, .orf, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf. This means that all your documents, photos, videos, music files, and databases will be inaccessible, i.e., become useless and damaged within a very short time. This ransomware is known to apply the AES encryption method, which is virtually impossible to decipher. Once this infection encrypts a file, it will append “umbrecrypt_ID_[victim_id]” to the file name, so files will look something like this: “video.wmv. umbrecrypt_ID_ b4500913.”

When this malware has finished with all the available drives, it will pop up its ransom note. This informs you about the encryption and what you have to do in order to decrypt your files. In fact, you are offered a program to decipher your files, which you have to buy from these criminals. You are to contact them via e-mail (umbredecrypt@engineer.com or umbrehelp@consultant.com), and you are also told what to write in this mail for them to send you details about the amount to be transferred and the hows. You get 72 hours to contact them and to pay the ransom fee; otherwise, you will never see your files again. At least, this is what these cyber criminals want you to believe. However, the good news is that there has been a breakthrough with regard to UmbreCrypt Ransomware and HydraCrypt as well. Now there is a free decryption tool available, which can be used to decrypt your files if you are definitely infected with one of these Trojan ransomware programs. But do not think that deciphering thousands of files will be as quick as the encryption was. As a matter of fact, this decryption tool may take anything from a few hours up to a few days – yes, days – to figure out the key to unlock your files.

But before you rush to find and download this tool, and start to decipher your files, you must remove UmbreCrypt Ransomware from your computer. Otherwise, it all would be in vain as this infection would encrypt your files again and again until you finally eliminate this threat source. Obviously, the creators of this Trojan ransomware did not include an uninstaller, so you cannot easily remove it through Control Panel. But there is still some good news since this infection does not seem to lock your screen and block executable files, such as taskmgr.exe, explorer.exe, and regedit.exe; therefore, you do not need to go through the whole rebooting in Safe Mode “business.” Instead, you need to delete certain registry keys and values as well as folders. Since this requires editing the Windows Registry, we would mainly recommend our manual guide below for more experienced computer users owing to the potential risks of making a mistake. Please follow the steps carefully if you want to win this vicious battle. But, if you want to make sure that your computer is totally clean of threats, we advise you to download and install a reputable anti-malware application. A reliable and up-to-date security tool can perfectly defend your virtual world from similar malware intruders.

Remove UmbreCrypt Ransomware from Windows

1. Press Win+R and type in regedit. Hit Enter.
2. Find and remove the following values in HKCU\SOFTWARE\Microsoft\Windows registry key:
   ChromeRandomAdress3264 with value data: “havuwifi.exe”
   ChromeSettiings3264 with value data: “C:\Users\user\AppData\Roaming\ChromeSetings3264\{random name}.exe”
   ChromeStarts3264 with value data: “C:\Users\user\AppData\Roaming\ChromeSetings3264\{random name}.exe”
   MicrosoftUpd32 with value data: “dENx7zcCXtZSkoqHQUxNxBnA5aM2QvK7Ko6fLx2PrnwaKhG2kMmmv6IW9a5VwqKrzUW6LwBloHwWfLRv627KSaWHcXGP5FKVTyzmqRS5”
3. Find and delete these registry keys:
   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.umbrecrypt_ID_[unique user ID]
   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.umbrecrypt_ID_[unique user ID]
4. Close the registry editor.
5. Press Win+E to open the File Explorer.
6. Find the %AppData%\ChromeSetings3264 folder and delete it.
7. Find C:\Windows\Tasks\SA.DAT.umbrecrypt_ID_[unique user ID] file and remove it.
8. Empty the Recycle Bin and reboot your operating system.