Severity scale:  
  (99/100)

Everbe ransomware. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

Everbe ransomware — a malicious cryptovirus that keeps returning with new versions

Everbe ransomware delivers ransom note
Everbe ransomware is a virus that locks up personal files and is now decryptable.

Everbe is a dangerous ransomware that first appeared in March 2018. The virus reappeared in May the same year as Embrace ransomware and PainLocker virus. Since then, the ransomware has four versions which are all using the same AES or RSA encryption methods to encrypt files. However, different versions rely on different file extensions and only a ransom note !=How_recovery_files=!.txt stays the same. In this file, hackers explain what their victims need to do to contact them and get the special encryption key which is needed to restore encrypted data. For now, we have discovered these file extensions used by Everbe ransomware: .[everbe@airmail.cc].everbe; [embrace@airmail.cc].embrace; .pain, .[eV3rbe@rape.lol].eV3rbe; .[hyena@rape.lol].HYENA;.[thunderhelp@airmail.cc].thunder. A few of these viruses can be stopped by a newly-created decryptor called InsaneCryptDecrypter. However, we cannot guarantee that this tool works while trying to decrypt files encrypted by the latest versions of this ransomware. The latest virus version is using .[thunderhelp@airmail.cc].thunder file extension for encrypted data. It is a new extension for the same Everbe 2.0 ransomware that was discoveed earlier in July. 

Summary
Name Everbe
Type Ransomware
variants
Danger level High. Makes system changes and encrypts files; demands a ransom
Targeted oS Windows
Appended file extension

.[everbe@airmail.cc].everbe; [embrace@airmail.cc].embrace; .pain; .[eV3rbe@rape.lol].eV3rbe; .[hyena@rape.lol].HYENA; .[thunderhelp@airmail.cc].thunder

Contact email addresses  everbe@airmail.cc, embrace@airmail.cc, pain@cock.lu, pain@airmail.cc; hyena@rape.lol; hyena@cock.lu; thunderhelp@airmail.cc
Data recovery Several versions of Everbe can be decrypted using Embrace decryptor (InsaneCrypt Decryptor)
To delete Everbe, install Reimage and run a full system scan

When the name is changed data immediately becomes compromised and unusable due to a sophisticated encryption algorithm. Everbe ransomware virus then generates a ransom note and spreads copies in all of the existing folders:

Hi !
If you want to restore your files write on email – everbe@airmail.cc
In the subject write – [redacted victim ID number]

As you can see from the quote above, this short message encourages users to contact developers via everbe@airmail.cc email, if they want to restore encrypted data. The ransom note also provides unique victim’s ID which is asked to enter in the subject line of the email.

However, we do not recommend contacting creators of Everbe ransomware and following their instructions. There’s no doubt that they will ask Bitcoins or another cryptocurrency in exchange for unique decryption key created for each victim. But once cybercriminals receive the payment, they might disappear and leave you with a bigger loss.

No matter how much you need to get back your files, you should remember that there are no guarantees that crooks keep their promise and help with data recovery.[1] Additionally, paying the ransom gives no results in Everbe removal. Hence, your computer remains vulnerable and sluggish. Besides, there is a free decryptor available,[2] so there is no need to pay hackers.

As soon as you realize about ransomware attack, you should obtain a proper security program and clean your machine. We recommend using Reimage for the proper system scan and virus elimination.

Keep in mind that you need to remove Everbe virus first before you can proceed with data recovery. However, if you do not have backups, you can try using additional tools that we have presented at the end of the article. If they do not help, you should remain patient and wait for malware researchers to create a free decryptor.

Four different variants related to Everbe

The good news is that Everbe decryptor can help while dealing with two variants of malware — Embrace and Painlocker. Although, this only work for these firstly discovered ones because hackers are known to modify the code of ransomware so that decryptor would not work. These versions came out quickly one after another, each having a new name altogether. 

Once more, two new versions came out in July 2018. Everbe 2.0 and Hyena Locker are not decryptable yet. The previous tool does not work. These two are similar and have lengthy ransom notes containing new contact emails (two for each version) and new file extensions. 

Embrace ransomware

Embrace ransomware made a comeback as the first continuation of Everbe malware. It spread through unprotected RDP, using malicious attachments in spam emails or was injected into malicious websites. It used the same encryption algorithm (AES or DES) to lock up files and added [embrace@airmail.cc].embrace. For example, a file called picture.jpg would be turned into picture.jpg.[embrace@airmail.cc] .embrace. 

The ransom note !=How_recovery_files=!.txt slightly differs from the first variant and urges users to contact hackers via embrace@airmail.cc. Victims are also warned that in case the payment will not be made within seven days, the price of ransom will double. It is unknown how much money crooks ask for; however, prices usually range between $500 and $1500, and payments are executed in Bitcoin or another cryptocurrency.

As usual, we recommend users to ignore ransomware authors and remove Embrace virus from the machine ASAP.

PainLocker ransomware

PainLocker is the latest addition to Everbe crypto-malware family. It adds [pain@cock.lu].pain appendix to each of the files and generates ransom note of the same name – !=How_recovery_files=!.txt., which states the following:

########## PAIN LOCKER ##########
Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore files?
Write to our email – pain@cock.lu or pain@airmail.cc and tell us your unique ID

Painlocker wants users' money. Thus, these hackers are not your friends (as they self-proclaimed)! Even though the decryptor works for this version of the virus as well, in rare cases it may not work for you. Therefore, it is vital to keep regular backups and employ reputable security software which could detect malicious threats and eliminate them before they can enter. If you found your files encoded, hurry up and remove PainLocker using an anti-malware tool.

Embrace & PainLocker ransomware
Embrace & PainLocker - the newest versions of Everbe malware

Everbe 2.0 ransomware

This version came out in July 2018 as the second version to the main ransomware Everbe virus. Security experts were convinced that the virus will remain decryptable. However, decryption tools that have already been presented do nothing to recover files encrypted by this ransomware version. This variant is appending .[eV3rbe@rape.lol].eV3rbe file extension or .[thunderhelp@airmail.cc].thunder appendix to the target data. The particular version is using AES-256 encryption method. This version offers to test its decryption capabilities by decrypting three the most important victim's files. The ransom amount is still unknown, so it is possible that the ransom you need to pay depends on the time you take to contact the criminals. However, we highly do NOT recommend contacting cybercriminals. Instead, you should try the data recovery steps given at the end of this post.

Hyena Locker ransomware 

Hyena Locker is the fourth version of the ransomware which showed up in July 2018. It is using three-paragraph ransom note to suggest its victims sending files to test the decryption procedure. This is offered so you can believe that the payment you send to cyber criminals will guarantee you the full decryption of your files. Hyena is using .[hyena@rape.lol].HYENA file extension while marking encrypted files and generates the key which is saved on a remote server which belongs to hackers. Just like Verbe 2.0, it is using AES-256 encryption chiper. The virus is still undecryptable.

Third-party software download sources help to spread ransomware

The main way how ransomware is being spread on the web and installed on computers is spam emails.[3] They often include malicious attachments that execute download and installation of malware to your computer. Letters can be called like they are from real and big companies like PayPal, DHL, LinkedIn, and others.

Additionally, infected email attachments usually look safe to open. Creators of malware often inject malicious code into Word or PDF documents. In some cases, ransomware might arrive in the ZIP archive. So, you should be extremely careful with received emails.

Security specialists from NoVirus.uk[4] also warn that authors of malware might use other methods to spread the file-encrypting virus, such as:

  • Unofficial software download sources or peer-to-peer networks that promote and offer to install suspicious programs;
  • Fake updaters might include malware instead of being upgrading any software;
  • Security pop-ups might ask to install fake security programs that are malware;
  • Malicious ads placed on both legit and high-risk websites.

To avoid infiltration of such cyber threat, you should be not only careful with emails and learn how to identify tricky messages sent by hackers, but also follow major security tips, such as avoiding visiting potentially dangerous sites, downloading programs from ads or unauthorized download sites. Additionally, data backups and installation of antivirus program helps to minimize the risk of ransomware attack.

Everbe removal procedure has to be completed immediately

Everbe removal needs to be done using the anti-malware program. Ransomware creators upgrade their codes and make viruses more evolved each time the new version comes out. We recommend using Reimage and Plumbytes Anti-MalwareNorton Internet Security for cleaning your computer. However, feel free to use your beloved anti-malware program, but do not forget to update it first! Additionally, ransomware virus can block access to the security program or its installation process. So you might need to do other steps that are mentioned in a removal guide below.

Everbe decryptor
Everbe and all its versions can now be decrypted.

Once you remove Everbe from the machine, you can begin the data recovery procedure. You should first try to gain access to your files back by using Embrace Decryptor. This tool only works for a few version of this ransomware. In case it does not work for you, below you can see other options for restoring your data.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Everbe ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Everbe ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing Everbe ransomware (2018-07-19)
Malwarebytes
We have tested Malwarebytes's efficiency in removing Everbe ransomware (2018-07-19)
Hitman Pro
We have tested Hitman Pro's efficiency in removing Everbe ransomware (2018-07-19)
Malwarebytes
We have tested Malwarebytes's efficiency in removing Everbe ransomware (2018-07-19)

To remove Everbe virus, follow these steps:

Remove Everbe using Safe Mode with Networking

If you cannot run automatic Everbe removal, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Everbe

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Everbe removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Everbe using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Everbe. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Everbe removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Everbe from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Everbe, you can use several methods to restore them:

Try Data Recovery Pro to restore missing files

It's not an official Everbe decryptor, but it can help to recover some of the encrypted files.

Take advantage of Windows Previous Versions feature

If System Restore was enabled before ransomware attack, you could copy individual files by following these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try Shadow Explorer to restore files encrypted by Everbe ransomware virus

If malware did not delete Shadow Volume Copies, this tool might be useful:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use Embrace Decryptor

Security researchers Michael Gillespie and Maxime Meignan recently created a decryptor which can be used to recover your files affected by Everbe for free. This works for Everbe, Embrace and Painlocker only. You can download the tool here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Everbe and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References

Removal guides in other languages