SkyFile is a new ransomware virus targeting more than 7k file types

SkyFile is ransomware[1] detected at the beginning of April 2018. It targets more than 7k file types and locks them with the .sky file extension. For this purpose, it uses hacker-preferable AES cipher. To decrypt files encrypted by SkyFile ransomware, victims have to contact developers via getsend@tutanota.com email and provide a private ID indicated in the HOW TO DECRYPT.txt file.
| Name of the virus | SkyFile |
|---|---|
| Type | Ransomware |
| Detection date | April 07, 2018 |
| Distribution | Malspam, exploit kits, corrupted RDP, fake update installers, etc. |
| Extension used | .sky |
| Related files | HOW TO DECRYPT.txt, skyfile.exe, SkyFile Decryptor.exe |
| Symptoms | Personal files locked, ransom note on desktop |
| Danger level | High. Initiates changes within Windows registry, changes boot order. Can cause system;s crash and permanent loss of personal files. |
| Download FortectIntego and run a full system scan with it to eliminate SkyFile ransomware | |
According to cybersecurity experts, the SkyFile seems to be messed up regarding cryptography, though the unusual application of AES cipher does work. The virus contains multiple Russian debug logs and is programmed to “Attack” using EternalBlu.
The SkyFile payload might be distributed in many ways, including compromised remote desktop apps (RDP), spam email attachments, drive-by-download, exploit kits, fake update, and other social engineering techniques. Usually, the virus disguises under skyfile.exe file.
As soon as the ransomware payload is being executed, it scans for targeted file types (approximately 7, 000 file extensions) and enables AES-256 cipher to render them inaccessible. Each file locked by SkyFile virus gets .sky suffix, which cannot be removed manually. Apart from file encryption, the ransomware creates a HOW TO DECRYPT.txt ransom note, which says:
Oops, all your files have been encrypted =(
To decrypt your files, write to me at the e-mail: getsend@tutanota.com
Your data for decryption:
Private ID: ***
Private Key: *****
As you can see, the ransom node is not explicit. Crooks does not expatiate on the decryption possibilities or the sum of ransom. All they ask is to contact them via getsend@tutanota.com and provide a personal ID number for the instructions.
Experts have also found that the SkyFile ransomware leaves a SkyFile Decryptor.exe file on the desktop, which once clicked opens a window saying:
Oops, your files have been encrypted. Such as: photos, videos, documents, etc. To decrypt your files, read HOW TO DECRYPT.txt
The decryptor is called SkyFile Decryptor | Zeus CitadeL. However, the ransomware does not share common traits with Zeus.
According to ransomware experts, it shouldn't take long for them to decrypt SkyFile ransomware since it's poorly developed. Thus, paying the ransom, regardless of its side, is not recommended.

Experts from NoVirus.uk[2] outline the best scenario that the victims of the SkyFile virus should follow. According to them, people should immediately download a powerful anti-malware tool, say FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes and run a full system scan.
Alternatively, they can use an already installed anti-virus, except that they have to update its definitions. Then, run a scan with a security tool and remove SkyFile ransomware completely. Note that manual removal is not possible. By trying to clean malicious files by yourself, you can cause permanent data loss or damage the system otherwise.
By the way, SkyFile removal may be hindered by ransomware helper objects. To bypass them, you may need to boot the system into Safe Mode with Networking. You can find an ultimate SkyFile removal tutorial at the end of this article.
Ransomware virus developers employ multiple social engineering strategies to disseminate the payloads
Hackers are not only capable of creating complex encrypting programs and ransom payment schemes but are also advanced in ransomware distribution techniques. It seems that they are great psychologists who know how to make ordinary PC users click on links or doc files infected with ransomware.
The most successful distribution strategy is spam.[3] These tactics is widely used for more than a decade and remains to be the “best” trickery.” Hackers create fake emails imitating authorities or well-known companies and append infected files. Once opened, these files release the .exe file, which subsequently corrupts personal files on victim's PC.
In addition to malspam, ransomware can spread via fake software updates, phishing sites or drive-by-download attacks. Thus, it's a must to keep an-antivirus program with real-time protection enabled all the time. Besides, fight curiosity and avoid clicking on suspicious-looking content.
Do not delay SkyFile removal
If you have already got infected with this ransomware, the top priority task is to initiate a full SkyFile removal. As we have already pointed out, you won't be able to do that manually. Select a reliable security tool and run a full system scan with it.
If SkyFile removal process fails because of malicious components that block anti-virus scanner, you should boot your PC into Safe Mode with Networking and try a scan this way. For more information, please follow the instructions provided below. You can also find instructions on how to decrypt files encrypted by SkyFile virus using alternative methods.
Was this guide helpful?
Be the first to comment