Assembly Ransomware is a dangerous cyber infection that seeks to encrypt personal files

Assembly is a cyber infection classified as crypto-ransomware. Its developers exploit different social engineering strategies[1] to disseminate ransomware payload in a form of assembly.exe file. When installed, it locks the access to 26 most widely used file types using AES-256 (CBC mode). File extension used by Assembly ransomware is .locked. Victims are informed about an attack in READ_ME.txt file, which demands to pay the $1000 ransom in BTC.
| Name | Assembly |
|---|---|
| Classified as | Ransomware |
| Danger level | High. Initiates system's changes under admin privileges, locks personal files, demands to pay a ransom |
| Related files | assembly.exe, READ_ME.txt |
| Encryption | AES-256 |
| Decryptable | No |
| To get rid of Assembly, run a scan with FortectIntego | |
Assembly virus has been revealed in the middle of April 2018. Currently, no payments have been made to the 1NRtwvG6hvmpm4qv7ChoFGxNNsLaU8A5B9 BTC wallet that is indicated in the ransom note. Thus, it seems that the virus hasn't yet went wild, though people should be cautions and be extremely careful when opening suspicious emails or seeing misleading ads online.
According to ransomware researchers, Assembly crypto-malware is built on the HiddenTear open-source ransomware code. Its distribution relies on the assembly.exe file, which may be disguised under .doc, .docx, .pdf, or similar file types attached to spam email or rogue software updates. Once installed, it scans the system for the following file types (26 in total) and encrypts them using AES-256 cipher.
.asp, .aspx, .cpp, .csx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .pdf, .php, .png, .ppt, .pptx, .psd , .raw, .rtf, .sln, .sql, .txt, .vb, .xls, .xlsx, .xml
Each file encrypted by Assembly ransomware gets a .locked file extension and cannot be opened. The victim can get acquanted with the current situation by reading a READ_ME.txt file, which contains the following information:
All files have been encrypted
Send 1000 $ in BTC to
1NRtwvG6hvmpm4qv7ChoFGxNNsLaU8A5B9
and send your computername to
ransomrust@protonmail.com
in order to decrypt the files.
Extortionists demand the victim to pay $1000 in cryptocurrency Bitcoin in exchange of a Assembly decryptor. To maximize the profit from ransom, crooks programmed the virus so that it deletes Volume Shadow Copies.[2] Nonetheless, it seems to leave System Restore Points intact, meaning that there's a possibility to retrieve personal files without paying a redemption.
Anyway, paying a ransom is not a great deal whatsoever. Extortionists need “investments” for the future crimes, so each ransom gives the way for them to develop more severe cyber infections.
In case you are currently seeing files encrypted with .locked file extension, you should immediately scan your PC with FortectIntego or SpyHunterCombo Cleaner to remove Assembly ransomware.Once eliminated, it won't be able to repeatedly lock your files.
If Assembly removal is not permitted due to multiplicity of Windows OS changes that the virus executed, you will have to bypass the restriction by switching to the Safe Mode with Networking mode. You can find instructions on how to do that down below.

Malspam campaigns – the primary source of ransomware attacks
Although criminals are more and more often exploiting unprotected Remote Desktop services, using Exploit kits, drive-by-download attacks, and other highly suspicious means to spread ransomware, malspam campaigns remain a number one danger for the cyber community. The scheme or these campaigns are quite primitive:
- Criminals launch distribution campaign by creating a misleading email, which contains an attachment infected with .exe file;
- The email is sent to hundreds or thousands of potential victims via spam bots or similar channels;
- If the potential victim falls for the catch and opens the attachment, ransomware payload is being executed;
Thus, it's very important to be cautions about smap email and restrain from opening attachments of messages that are supposedly sent by IRS, Amazon, eBay or another well-known company, unless you expected to get one.
Beware that malicious emails often contain grammar, spelling and type mistakes or may not contain body text, which is not normal in original emails from reputable sources. Zondervirus.nl[3] experts point out to another factor raising suspicions – the requirement to enable Macros to read the attachment. Macros is needed to unravel ransomware payload, but not a regular PDF or DOC file.
Finally, protect your PC and its content by installing a powerful anti-virus and keep it up-to-date.
System scan can help you to remove Assembly virus
Ransomware viruses are dangerous in their nature. They change boot sequence, run scripts via Command Prompt and Powershell, create dangerous Registry entries, and initiate other modifications that can hardly be fixed manually. Thus, it you're PC has been attacked, we recommend to launch a scanner of the anti-virus and let it perform a Assembly removal.
If it turns out that it's not easy to remove Assembly using the anti-virus because it's blocked, you may need to restart the system into safe mode. Once there, use SpyHunterCombo Cleaner, MalwarebytesMalwarebytes or another robust malware removal tool to get rid of infections.
Was this guide helpful?
Be the first to comment