ABCD ransomware is a file locking malware that mostly attacks businesses via weakly-protected Remote Desktop connections
ABCD ransomware is a type of malware that locks all data on the host machine and the connected networks and then demands ransom of up to 3 BTC for the decryption tool
ABCD ransomware is an emerging crypto-malware that has been spotted attacking several companies around the world since mid-October 2019. Initially, security researchers could not identify the ransomware correctly, although later, it became apparent that the malware stems from MegaCortex and LockerGoga ransomware – threats that have been operated by successful hacking groups.
Since the main targets of ABCD ransomware are organizations, its primary distribution method is RDP (Remote Desktop Protocol). Once the malicious executable is executed, the malware starts its infection routine, consequently encrypting all local and networked files with the help of AES, and appending .abcd marker to each of them. To recover data, victims are informed via the ransom note Restore-My-Files.txt that they need to contact threat actors via the email (depends on the version, but so far, the provided contacts were firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org) and pay the ransom in Bitcoin.
While some victims claimed that they received ABCD ransomware decryptor from the attackers after paying the demanded sum, it is best not to trust the attackers and instead use alternative methods provided in the bottom section of this article.
|Type||Cryptomalware, file locking virus|
|Family||After initial confusion, it was determined that this malware is a variant of MegaCortex and LockerGoga|
|Distribution||Usually spread via unprotected or poorly protected RDP connections|
|Malware launcher||Ricks75.exe (may vary)|
|Secondary payloads||Infected machines are injected with a legitimate application Process Hacker 2|
|Encryption algorithm||Malware uses AES cipher to encrypt all data on the machine and its networked drives, skipping system and executable files|
|Appended extension||Each file receives .abcd extension. Example of an encrypted file: picture.jpg.abcd|
|Ransom note||Restore-My-Files.txt text file is dropped into most folders on the system|
|Contact||Victims are asked to contact criminals for ransom negotiations via email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, or email@example.com emails|
Multiple AV vendors detect malware sample on Virus Total as follows:
|File decryption||The only secure and free possibility of retrieving the locked data is via backups. Paying ransom to criminals is not recommended, although some might have no other choice. Nevertheless, a small chance exists to recover data with the help of third-party recovery software|
|Malware removal||Download reputable anti-malware software and perform a full system scan in Safe Mode as explained below|
|Recovery||Ransomware modifies system files – this could cause issues after it is eliminated, such as errors, crashes, and similar. To fix virus damage, we suggest using ReimageIntego|
While it is most likely that ABCD ransomware is spread via the RDP connections, it does not mean that other methods are not used by hackers as well, such as spam emails, fake updates, software cracks, exploits, etc. Thus, it is important to understand that securing just one point of entry is not enough, and comprehensive security solutions should be applied to avoid infiltration.
Upon infiltration, ABCD ransomware does not immediately begins the infection routine, but first performs the necessary preparations:
- Deletes Shadow Volume Copies with the help of “vssadmin delete shadows /all /quiet” command.
- Disables Windows startup repair function.
- Installs Process Hacker 2 – originally a legitimate application that is used to monitor system resources, detect malware, and debug software.
- Modifies registry files.
- Spawns many different processes, etc.
It was reported that ABCD ransomware attempts to infect all the computers on the connected network and encrypt data on all the connected servers. Besides, it also tries to access virtual backup systems like Dropbox and deleting backups from there. Considering the Shadow Volume Copies are deleted as well, encrypted data recovery becomes even more complicated. Due to its advanced functionality, even ABCD ransomware removal might not be successful.
After that, ABCD ransomware all data located on the machine, as well as all the networked drives, and drops the ransom note for information purposes. Ransom note contents are as follows:
All your important files are encrypted!
There is only one way to get your files back:
1. Contact with us
2. Send us 1 any encrypted your file and your personal key
3. We will decrypt 1 file for test(maximum file size – 1 MB), its guarantee what we can decrypt your files
5. We send for you decryptor software
We accept Bitcoin
Do not rename encrypted files.
Do not try to decrypt using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price(they add their fee to our)
Contact information: firstname.lastname@example.org
Be sure to duplicate your message on the e-mail: email@example.com
Your personal id:
Some victims who paid for ABCD ransomware decryptor claimed that their files were successfully recovered their data. However, there is always a risk when communicating with malicious actors, as they are not always willing to cooperate, and might ask for even more substantial sums. As reported by affected users, hackers are eager to ask as much as 3 BTC, regardless of how many computers or servers were encrypted.
ABCD ransomware is crypto-malware that stems from MegaCortex and LockerGoga families, both of which are known from targeted attacks against organizations and businesses
Thus, you should backup all the encrypted files, remove ABCD ransomware with anti-malware, and then attempt to recover data by using alternative methods provided in our recovery section below. Additionally, if you experience system crashes and frequent error messages post-removal, you could use ReimageIntego to fix virus damage and avoid the re-installation of Windows operating system.
Poorly protected RDP connections serve as an entry point for malware authors
Remote Desktop Service is a great feature implemented by Microsoft – it allows users to connect to computers remotely over a network connection. The system is often used by various businesses, although regular users can also find it useful in certain situations. However, many companies still fail to protect such connections correctly. Due to its prevalence and weak protection practices, RDP became a go-to choice for malicious actors who are planning targeted attacks against organizations and businesses.
In most of the cases, the required credentials to bypass authentication are either acquired on the underground forums, or by applying the brute-forcing technique with automated software. Once inside, attackers typically disable all the defenses and delete backups (if accessible), deploying ransomware payload after.
To adequately protect your RDP, industry experts advise the following:
- Do not use default TCP and UDP port 3389.
- Limit the access to RDP to only those who actually need it via Group Policy Management Console.
- Protect the connection with a strong password to prevent brute-forcing.
- Disable RDP when it is not used.
- Enable Network Level Authentication (NLA) via System Properties.
- If possible, use Remote Desktop Gateway Server for extra security.
As evident, general security practices like comprehensive security solutions, regular system patching, backups, and other precautionary measures should always be adhered to as well.
ABCD ransomware removal and file recovery solutions
When it comes to ABCD ransomware decryption, there is not much that the infected users can do if no backups were prepared and isolated before the attack. It is always worth trying third-party recovery software, but there are no guarantees that it will work (in some cases, at least a portion of locked files can be recovered if the host computer was not used as much post-infection). Before trying alternative methods, ABCD ransomware removal should be executed to void repeated data encryption.
Once files are appended with .abcd, the only secure way to recover them is via data backups
Note that, when you remove ABCD ransomware infection, you might permanently damage encrypted files, and even a working decryptor would no longer function. Thus, make sure you backup all the encrypted data before doing everything else. For that, you might have to access Safe Mode with Networking, as ABCD virus might try to prevent its termination by disabling AV software.
Besides using recovery software, the other two options are paying criminals or waiting until security researchers discover bugs within the ransomware code and create a working ABCD decryption tool. Depending on many different factors, this might or might not happen. Therefore, it is always up to you to device what is the best solution in this rather difficult situation. As evident, if backups are available, it is the only recovery method you should go for.
To remove ABCD virus, follow these steps:
Manual ABCD removal using Safe Mode
In case of ABCD ransomware is interfering with your anti-virus, you can enter Safe Mode with Networking to bypass malware's functions:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove ABCD using System Restore
System Restore is another way to delete malware:
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of ABCD. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove ABCD from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by ABCD, you can use several methods to restore them:
Data Recovery Pro is a tool that may work
As previously mentioned, the less you have used your computer post-infection, the more chances are to retrieve healthy copies of files from the hard drive with tools like Data Recovery Pro.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by ABCD ransomware;
- Restore them.
Make use of Windows Previous Versions Feature
This method can only work if you had System Restore enabled.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer might recover all the encrypted data
ABCD file virus is programmed to delete Shadow Volume Copies. If this process fails, there is a high chance of restoring all files with the help of ShadowExplorer.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No decryption tool is currently available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ABCD and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.