Severity scale:  
  (97/100)

Remove ABCD ransomware (Removal Guide) - Recovery Instructions Included

removal by Linas Kiguolis - - | Type: Ransomware

ABCD ransomware is a file locking malware that mostly attacks businesses via weakly-protected Remote Desktop connections

ABCD ransomwareABCD ransomware is a type of malware that locks all data on the host machine and the connected networks and then demands ransom of up to 3 BTC for the decryption tool

ABCD ransomware is an emerging crypto-malware that has been spotted attacking several companies around the world since mid-October 2019. Initially, security researchers could not identify the ransomware correctly, although later, it became apparent that the malware stems from MegaCortex and LockerGoga ransomware – threats that have been operated by successful hacking groups.

Since the main targets of ABCD ransomware are organizations, its primary distribution method is RDP (Remote Desktop Protocol). Once the malicious executable is executed, the malware starts its infection routine, consequently encrypting all local and networked files with the help of AES,[1] and appending .abcd marker to each of them. To recover data, victims are informed via the ransom note Restore-My-Files.txt that they need to contact threat actors via the email (depends on the version, but so far, the provided contacts were goeila@countermail.com, gupzkz@cock.li, supportpc@cock.li, goodsupport@cock.li, and abcd-help@countermail.com) and pay the ransom in Bitcoin.

While some victims claimed that they received ABCD ransomware decryptor from the attackers after paying the demanded sum, it is best not to trust the attackers and instead use alternative methods provided in the bottom section of this article.

Name ABCD ransomware
Type Cryptomalware, file locking virus
Family  After initial confusion, it was determined that this malware is a variant of MegaCortex and LockerGoga
Distribution Usually spread via unprotected or poorly protected RDP connections
Malware launcher Ricks75.exe (may vary)
Secondary payloads  Infected machines are injected with a legitimate application Process Hacker 2
Encryption algorithm  Malware uses AES cipher to encrypt all data on the machine and its networked drives, skipping system and executable files 
Appended extension  Each file receives .abcd extension. Example of an encrypted file: picture.jpg.abcd 
Ransom note  Restore-My-Files.txt text file is dropped into most folders on the system 
Contact  Victims are asked to contact criminals for ransom negotiations via goeila@countermail.com, gupzkz@cock.li, supportpc@cock.li, goodsupport@cock.li, or abcd-help@countermail.com emails
Detection

Multiple AV vendors detect malware sample on Virus Total as follows:

  • Win32:Trojan-gen
  • Ransom:Win32/LockBit.A!MTB
  • BehavesLike.Win32.Emotet.lh
  • Win32.Trojan-Ransom.Filecoder.BO
  • A Variant Of Win32/Filecoder.NXQ
  • W32.Trojan.TR.Downloader, etc.
File decryption  The only secure and free possibility of retrieving the locked data is via backups. Paying ransom to criminals is not recommended, although some might have no other choice. Nevertheless, a small chance exists to recover data with the help of third-party recovery software 
Malware removal Download reputable anti-malware software and perform a full system scan in Safe Mode as explained below
Recovery Ransomware modifies system files – this could cause issues after it is eliminated, such as errors, crashes, and similar. To fix virus damage, we suggest using Reimage Reimage Cleaner Intego

While it is most likely that ABCD ransomware is spread via the RDP connections, it does not mean that other methods are not used by hackers as well, such as spam emails, fake updates, software cracks, exploits,[2] etc. Thus, it is important to understand that securing just one point of entry is not enough, and comprehensive security solutions should be applied to avoid infiltration.

Upon infiltration, ABCD ransomware does not immediately begins the infection routine, but first performs the necessary preparations:[3]

  • Deletes Shadow Volume Copies with the help of “vssadmin delete shadows /all /quiet” command.
  • Disables Windows startup repair function.
  • Installs Process Hacker 2 – originally a legitimate application that is used to monitor system resources, detect malware, and debug software.
  • Modifies registry files.
  • Spawns many different processes, etc.

It was reported that ABCD ransomware attempts to infect all the computers on the connected network and encrypt data on all the connected servers. Besides, it also tries to access virtual backup systems like Dropbox and deleting backups from there. Considering the Shadow Volume Copies are deleted as well, encrypted data recovery becomes even more complicated. Due to its advanced functionality, even ABCD ransomware removal might not be successful.

After that, ABCD ransomware all data located on the machine, as well as all the networked drives, and drops the ransom note for information purposes. Ransom note contents are as follows:

All your important files are encrypted!
There is only one way to get your files back:
1. Contact with us
2. Send us 1 any encrypted your file and your personal key
3. We will decrypt 1 file for test(maximum file size – 1 MB), its guarantee what we can decrypt your files
4. Pay
5. We send for you decryptor software

We accept Bitcoin

Attention!
Do not rename encrypted files.
Do not try to decrypt using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price(they add their fee to our)

Contact information: supportpc@cock.li

Be sure to duplicate your message on the e-mail: goodsupport@cock.li

Your personal id:

Some victims who paid for ABCD ransomware decryptor claimed that their files were successfully recovered their data. However, there is always a risk when communicating with malicious actors, as they are not always willing to cooperate, and might ask for even more substantial sums. As reported by affected users, hackers are eager to ask as much as 3 BTC, regardless of how many computers or servers were encrypted.

ABCD ransomware virusABCD ransomware is crypto-malware that stems from MegaCortex and LockerGoga families, both of which are known from targeted attacks against organizations and businesses

Thus, you should backup all the encrypted files, remove ABCD ransomware with anti-malware, and then attempt to recover data by using alternative methods provided in our recovery section below. Additionally, if you experience system crashes and frequent error messages post-removal, you could use Reimage Reimage Cleaner Intego to fix virus damage and avoid the re-installation of Windows operating system.

Poorly protected RDP connections serve as an entry point for malware authors

Remote Desktop Service is a great feature implemented by Microsoft – it allows users to connect to computers remotely over a network connection. The system is often used by various businesses, although regular users can also find it useful in certain situations. However, many companies still fail to protect such connections correctly. Due to its prevalence and weak protection practices, RDP became a go-to choice for malicious actors who are planning targeted attacks against organizations and businesses.[4]

In most of the cases, the required credentials to bypass authentication are either acquired on the underground forums, or by applying the brute-forcing technique with automated software. Once inside, attackers typically disable all the defenses and delete backups (if accessible), deploying ransomware payload after.

To adequately protect your RDP, industry experts[5] advise the following:

  • Do not use default TCP and UDP port 3389.
  • Limit the access to RDP to only those who actually need it via Group Policy Management Console.
  • Protect the connection with a strong password to prevent brute-forcing.
  • Disable RDP when it is not used.
  • Enable Network Level Authentication (NLA) via System Properties.
  • If possible, use Remote Desktop Gateway Server for extra security.

As evident, general security practices like comprehensive security solutions, regular system patching, backups, and other precautionary measures should always be adhered to as well.

ABCD ransomware removal and file recovery solutions

When it comes to ABCD ransomware decryption, there is not much that the infected users can do if no backups were prepared and isolated before the attack. It is always worth trying third-party recovery software, but there are no guarantees that it will work (in some cases, at least a portion of locked files can be recovered if the host computer was not used as much post-infection). Before trying alternative methods, ABCD ransomware removal should be executed to void repeated data encryption.

ABCD ransomware encrypted filesOnce files are appended with .abcd, the only secure way to recover them is via data backups

Note that, when you remove ABCD ransomware infection, you might permanently damage encrypted files, and even a working decryptor would no longer function. Thus, make sure you backup all the encrypted data before doing everything else. For that, you might have to access Safe Mode with Networking, as ABCD virus might try to prevent its termination by disabling AV software.

Besides using recovery software, the other two options are paying criminals or waiting until security researchers discover bugs within the ransomware code and create a working ABCD decryption tool. Depending on many different factors, this might or might not happen. Therefore, it is always up to you to device what is the best solution in this rather difficult situation. As evident, if backups are available, it is the only recovery method you should go for.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove ABCD virus, follow these steps:

Remove ABCD using Safe Mode with Networking

In case of ABCD ransomware is interfering with your anti-virus, you can enter Safe Mode with Networking to bypass malware's functions:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove ABCD

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete ABCD removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove ABCD using System Restore

System Restore is another way to delete malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of ABCD. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that ABCD removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove ABCD from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by ABCD, you can use several methods to restore them:

Data Recovery Pro is a tool that may work

As previously mentioned, the less you have used your computer post-infection, the more chances are to retrieve healthy copies of files from the hard drive with tools like Data Recovery Pro.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ABCD ransomware;
  • Restore them.

Make use of Windows Previous Versions Feature

This method can only work if you had System Restore enabled.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might recover all the encrypted data

ABCD file virus is programmed to delete Shadow Volume Copies. If this process fails, there is a high chance of restoring all files with the help of ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ABCD and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References

Your opinion regarding ABCD ransomware