Severity scale:  
  (96/100)

Remove Sekhmet ransomware (Removal Instructions) - Free Guide

removal by Olivia Morelli - - | Type: Ransomware

Sekhmet ransomware – crypto-malware that targets organizations and threatens to publish confidential information online

Sekhmet ransomware
Sekhmet ransomware is malware that encrypts all personal files with a combination of RSA and ChaCha and then demands Bitcoin payment for their redemption

Sekhmet ransomware is a new crypto-locking virus strain that was first spotted by cybersecurity experts in late March 2020. Just like similar malware of such type, it uses a strong encryption algorithm (this time, a combination of RSA and ChaCha) to lock pictures, music, videos, documents, databases, and other files on local and networked drives for blackmail purposes. Each of the locked files is appended with a random extension (e.g., .WNgh, .DtiV) and can no longer be accessed, unless a ransom in Bitcoin from Sekhmet virus authors.

Threat actors behind the Sekhmet ransomware strain joined the terrifying trend among cybercriminals – they harvest sensitive information during the infection process and then threaten to publish it on a specific portal online, which would be accessible for everybody. Allegedly, victims only have three business days before that happens. To recover the Sekhmet ransomware decryption tool, users have to either visit a TOR site or visit a skhmet.top website. All this information is conveniently compiled into ransom RECOVER-FILES.txt, which is dropped on the infected machines' desktops.

Name Sekhmet ransomware
Type File locking virus, crypto-malware
Related files f55.dll, sekhmet.dll.exe, regsvr32.exe
Encryption method All non-system files are encrypted with the help of RSA-2048 + ChaCha
File appendix Unlike most ransomware, Sekhmet appends a random extension to each of the files on the same device. Example of two different files on the same system: picture1.jpg.WNgh and picture2.jpg.DtiV
Ransom note RECOVER-FILES.txt
Contact Malicious actors indicate two methods of contact: either by downloading a TOR client and visiting a provided link or by visiting sekhmet.top website
Threat Hackers claim that they harvested sensitive information from the infected computers and will publish it if the ransom is not paid within three days
Data recovery  Without secure backups, retrieving data is almost impossible. Alternative ways for file recovery include using third-party software or trying to use built-in Windows backups. Paying cybercriminals might be the only choice in some cases (although it is not recommended)
Malware removal  To get rid of malware, users need to perform a network-wide scan with reputable anti-malware software 
System fix  Malware can often damage Windows system files, resulting in crashes and other issues. To fix virus damage, employ repair tools like Reimage Reimage Cleaner Intego 

Since Sekhmet ransomware targets organizations mainly, it is clear that attack vectors do not include random targets. To perform a targeted attack, malware developers often choose to use spear-phishing[1] emails or insecure Remote Desktop connections. The latter can be reached simply by scanning the internet for all RDP connections that use a default TCP/UDP port 3389.

Due to the targeted nature of the attacks, threat actors behind Sekhmet virus could be able to disable implemented defenses, such as employed anti-malware tools. Nevertheless, most up-to-date security solutions might be the tools one needs to detect unauthorized access. There many AVs that detect malware under the following names:[2]

  • Trojan.GenericKD.42872102
  • Win32:Malware-gen
  • Ransom.Win32.SEKHMET.A
  • Win32.Trojan.Cryptor.Pgwr
  • Trojan-Ransom.Win32.Cryptor.ddu
  • Trojan.GenericKD.42872102 (B), etc.

Sekhmet ransomware removal can also be achieved with the help of anti-malware tools, although it could be possible that the infection neutralized itself after performing file encryption. Many ransomware is programmed to do so, although it is best to check the machine(s) with security software regardless. If you remove Sekhmet ransomware before backing up the encrypted data, it may get compromised for good, however.

Sekhmet ransomware does not immediately begin the file encryption process, as many system modifications need to be performed before that. For example, the Windows registry is modified, remote server connections established, malicious files dropped, Shadow Volume Copies, and multiple other files deleted, etc. For a startup, regsvr32.exe process is used – malware boots each time the Windows is started. These Sekhmet ransomware changes can sometimes damage the system, although it can be later reverted with tools like Reimage Reimage Cleaner Intego.

Sekhmet ransomware virus
Sekhmet ransomware is a file locking virus that mainly targets companies

With the system preparations complete, the Sekhmet virus begins to look for files on local and networked drives. It targets the most commonly used types, such as .pdf, .jpg, .zip, .mkv, .doc, and many others. With the help of sophisticated encryption, the malware locks all data and appends a different extension to each file, making them unusable.

After that, a lengthy ransom note is dropped, which explains that Sekhmet ransomware encrypted all files and, allegedly, the only way to recover data is by paying cybercriminals. Here's an extract from the note:

| Attention! |
—–

Your company network has been hacked and breached. We downloaded confidential and private data.
In case of not contacting us in 3 business days this data will be published on a special website available for public view.

Also we had executed a special software that turned files, databases and other important data in your network into an encrypted state using RSA-2048 and ChaCha algorithms.
A special key is required to decrypt and restore these files. Only we have this key and only we can give it to you with a reliable decryption software.

—–
| How to contact us and be safe again |
—–

The only method to restore your files and be safe from data leakage is to purchase a private key which is unique for you and securely stored on our servers.
After the payment we provide you with decryption software that will decrypt all your files, also we remove the downloaded data from your network and never post any information about you.

There are 2 ways to directly contact us:

1) Using hidden TOR network:

a) Download a special TOR browser: hxxps://www.torproject.org/
b) Install the TOR browser
c) Open our website in the TOR browser: hxxp://o3n4bhhtybbtwqqs.onion/1E857D009F862A38
d) Follow the instructions on this page.

2) If you have any problems connecting or using TOR network

a) Open our website: hxxps://sekhmet.top/1E857D009F862A38
b) Follow the instructions on this page

On this web site, you will get instructions on how to make a free decryption test and how to pay.
Also it has a live chat with our operators and support team.

It is yet unknown who is behind Sekhmet ransomware strain, but it seems like these criminals are serious about what they do. Looking at ransom note and the way communication system is established, it becomes clear that these people are not new in ransomware scene, and they are aiming to infect organizations and businesses for increased ransom payments.

Keeping that in mind, sensitive information disclosure becomes even more devastating than the loss of files, in some cases. For a company to have its secrets revealed possibly to other malicious actors or competitors might prove detrimental, resulting in the company shut down. This is why Sekhmet ransomware might be so efficient in collecting ransom payments, as business owners do not want to lose their source of income.

Ransomware prevention measures 

It is currently unknown that type of distribution methods ransomware developers are using, although, considering the nature of the ransom note, they most likely rely on targeted attacks. In most cases, these are executed via unprotected RDP connections or phishing emails. Nevertheless, it does not mean that cybercriminals cannot use other methods, including:

  • web injects
  • fake updates
  • exploits
  • pirated software installers
  • etc.

Therefore, to ensure the safety of the company, staff training and dedicated IT teams are essential for cybersecurity. It is especially important to secure remote desktop connections with the help of such tools like VPN, as well as strong passwords and correct settings.

Sekhmet virus
Sekhmet ransomware virus authors offer users to either download Tor client and visit particular site or access the payment panel via sekhmet.top

Additionally, email attachments should never be allowed to run macro function, i.e., “Allow content.” Typically, PDF or .doc files, boobytrapped with malicious macros, are employed to execute commands and begin the infection routine. Also, with the help of spoofing techniques,[3] hackers might make it look that the email is coming from within the company, so caution should be practiced at all times.

Finally, comprehensive anti-malware software, regular backups, system patching, and other safety measures should always be practiced.

Get rid of Sekhmet ransomware and try to recover your data

It is up to you to decide whether you want to pay for Sekhmet ransomware decryptor, although keep in mind that it is very risky – cybercriminals behind the strain might simply ignore victims as soon as Bitcoins are transferred. Therefore, security experts advise against paying criminals, although the fact that they could disclose sensitive company information publicly is a considerable threat. The tactic has been developed by Maze ransomware authors and is now being adopted across other strains.

If you decide not to pay, you have to ensure that Sekhmet ransomware removal is performed correctly. Since malware drops a multitude of files across the system and changes various Windows settings, it is best to be done with the help of anti-malware software.

In case you have struggled when trying to remove Sekhmet ransomware, you can access Safe Mode with Networking and perform a full scan from there. Only then you should attempt to recover your data, although do not forget to backup the encrypted files first.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Sekhmet virus, follow these steps:

Remove Sekhmet using Safe Mode with Networking

To access Safe Mode with Networking, perform the following actions:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Sekhmet

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sekhmet removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sekhmet using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sekhmet. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Sekhmet removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Sekhmet from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Sekhmet, you can use several methods to restore them:

Data Recovery Pro might be useful when trying to retrieve encrypted files

Data Recovery Pro might be able to reach healthy copies of at least some files located in the hard disk.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Sekhmet ransomware;
  • Restore them.

Make use of Windows Previous Versions feature

This method will only work if you had System Restore enabled.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can sometimes help

In case the Sekhmet file virus failed to delete Shadow Volume Copies, ShadowExplorer can help you to retrieve the encrypted data.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sekhmet and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References


Your opinion regarding Sekhmet ransomware