Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2020

How to remove ShivaGood ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Lucia Danes · Virus researcher

ShivaGood ransomware is a file locking virus that uses several other malware components

ShivaGood ransomware

ShivaGood ransomware is malware, which first showed up in the wild back in September 2018, attacking several businesses and regular computer users. Since then a few other variants emerged, although they all append the same extension to files – .good. The attackers ask to pay a ransom in Bitcoins for the decryption tool and provide dsupport@airmail.cc, xxxsupport@protonmail.com, or badguyconsult@protonmail.com emails for communication purposes.

ShivaGood ransomware, otherwise known as Mimicry ransomware, takes numerous characteristics from different malware: the same file extension was used by Scarab-Horsia, while initial identifications of a sample pointed at Crypt0L0cker due the name of the ransom note – HOW_TO_RECOVER_FILES.txt. Nevertheless, it turned out that it has nothing to do with these two families, and its a modified version of the open-source HiddenTear ransomware, which makes it secure. In other words, ShivaGood virus-encrypted files cannot be decrypted, and the server used by hackers turns out to be dead as well, so paying a ransom is useless.

Name ShivaGood
Type Ransomware, cryptomalware
Alternative names Mimicry ransomware, .good ransomware
Derives from HiddenTear –  the open-source ransomware
Main executable Frost.exe which is dropped into “Frenchkiss” folder
Encryption algorithm Malware applies AES cipher to lock all files located on the system, although it skips .exe and system files like .sys or .dll
File extension Each of the files is marked with .good extension. Encrypted example: picture.jpg.good
Ransom note HOW_TO_RECOVER_FILES.txt is dropped on the desktop and all the folders where encrypted data is located
Contact dsupport@airmail.cc, xxxsupport@protonmail.com, or badguyconsult@protonmail.com
File decryption

Paying criminals is useless, as the server the malware is meant to contact is no longer accessible, so they will not be able to recover the data – even after the Bitcoin payment. Other options are as follows:

  • Restore files from backups
  • Use third-party recovery software (low chance)
Malware removal Use reputable anti-malware software to get rid of ShivaGood. If not successful, you should run a different malware removal tool and/or access Safe Mode with Networking as explained below
Windows system recovery In case your Windows system is crashing, returning BSODs,[1] errors and similar, you can remediate your OS with the help of PC repair software FortectIntego

There is no precise information on how ShivaGood ransomware spreads. However, because hackers are keen to attack businesses, there is a high chance that the malware compromises servers and networks via weakly protected Remote Desktop connections. Other methods might include:

  • Spam emails;
  • Exploits;[2]
  • Fake updates;
  • Backdoors;
  • Cracks, etc.;

Soon after the infection, the ShivaGood virus creates a folder named “Frenchkiss and places the frost.exe file inside it. From there, the executable is launched, and the infection of the computer, along with all the connected networks as well as servers, begins. 

ShivaGood ransomware performs various modifications to the host machine, including dropping several malicious files, modifying the Windows registry, deleting Shadow Volume copies, etc. All the changes to the system are initiated for a different purpose; for example, registry modification ensures that the malware is booted with each system start while deleting of automatic Windows backups makes automatic recovery impossible. Nevertheless, after ShivaGood ransomware removal, victims can fix the damage done by the virus with the help of such tools as FortectIntego.

ShivaGood ransomware virus

As soon as preparations are complete, ShivaGood ransomware locks all files with the help of the AES encryption algorithm,[3] restricting the access to all data, although the system and executable files remain untouched. Likewise, all the encrypted files are marked with .good extension.

The ransom note HOW_TO_RECOVER_FILES.txt states the following:

Your personal identifier: Y4GIE

Your important files are now encrypted due to a security problem with your PC!

Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: dsupport@airmail.cc

Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).

How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click'Buy bitcoins', and select the seller by payment method and price:
https://localbitcoins.com/buy_bitcoins
* Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins

Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price
(they add their fee to our) or you can become a victim of a scam.

As mentioned before, contacting hackers is useless, as they themselves would not be able to retrieve the required key for the data decryption. Instead, we would suggest focussing on ShivaGood ransomware removal with the help of anti-malware software, such as SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. In case of troubles, we provide full instructions on how to enter Safe Mode if malware is preventing security tools from working correctly.

Protect the RDP and apply other precautionary measure to reduce the infection chances to a minimum

As previously mentioned, there is a high chance that malicious actors are using unprotected Remote Desktop connections to infect victims with malware. The principle of this infection method is relatively simple, as crooks employ automated software that scans the internet for poorly protected connections (those running the default TCP port 3389) and then brute-force their way in with the help of other tools. As a result, the attackers gain access remotely and install ransomware manually. RDP attacks are extremely prevalent when it comes to malware attacks on businesses and organizations. Nevertheless, regular users using the feature are also in danger, so it is important to protect RDP connections with strong passwords and correct configuration settings.

Since many ransomware developers use several different tactics for distribution, it is vital to make sure that other precautionary measures are also practiced. Security experts at dieviren.de[4] provide the following security tips:

  • Backup all important data regularly;
  • Equip your machine with comprehensive security software;
  • Employ additional security tools like ad-blocks and a firewall;
  • Patch your Windows OS along with all installed programs with security updates;
  • Use strong passwords for all your accounts and never reuse them;
  • Never download pirated software installers or cracks/keygens/loaders.

ShivaGood ransomware encrypted files

Delete ShivaGood ransomware before trying to recover the encrypted data

Many users are perplexed about what to do once they are hit by ransomware, as most never encountered it or never even heard of it before. As a general rule, security researchers claim that many cryptomalware viruses simply self-delete after performing the encryption routine. Nevertheless, some might also infect additional modules that steal sensitive data or remain on the system until terminated. Therefore, ShivaGood ransomware removal should always be performed.

Nevertheless, before you remove ShivaGood ransomware, you need to make a copy of encrypted files, as the process might damage them permanently – and the same goes for the recovery. Thus, copy all the encrypted data to the USB flash or a remote server, and then scan your system with anti-malware software to get rid of all the malicious components ShivaGood virus might have dropped. If the malware is tampering with your AV, access Safe Mode, as explained below.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.