Multi-Device Licenses (Volume Discounts)

Change Region

English Português
Threat Database Ransomware EnyBeny Ransomware

EnyBeny Ransomware

By GoldSparrow in Ransomware
Translate To:
English

The EnyBeny Ransomware is an encryption ransomware Trojan that is a variant of HiddenTear, an open source ransomware platform that was launched in 2015. The EnyBeny Ransomware was first observed in October 2018 and has had several variants. Another variant of the EnyBenyCrypt Ransomware was released on November 25, 2018, which may be known as EnyBeny-Nuclear. Both threats are virtually identical.

How a Computer can be Infected by the EnyBeny Ransomware Trojan

The EnyBeny Ransomware is meant to work as an encryption ransomware Trojan clearly, which uses the AES and RSA encryptions to encrypt the user-generated files, such as the file with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The EnyBeny Ransomware would add the file extension '.PERSONAL_ID:.Nuclear' to each affected file. However, the EnyBeny Ransomware seems to have been implemented poorly and, instead of carrying out its attack, the EnyBeny Ransomware will delete the victim's data completely.

The EnyBeny Ransomware’s Ransom Demands

The EnyBeny Ransomware still delivers a ransom demand contained in a new desktop image and in a text file, both in files named 'Hack.' The new Desktop background contains the following message, in red text over a black background:

'All your files have been encrypted by EnyBeny uclear
Im mutanted as clay
Before eight hours your files a clear'

The EnyBeny Ransomware's text note of the ransom demand contains the following message:

'###ENYBENY NUCLEAR###
Great! You a member tEnybeny community, mutating completed and all your files has been encrypted!!
Encryption - reversible modification,
created for protect all your files
You can buy decryptor - price 0.00000001 BTC (No decryption, lol! Emails not registred!) For decrypt contact with:
brianmapsligmail.com OR amigo_a@india.com
Free decryption as guarantee (1 file, size not 1 mb)
And for free(or not) decryption please send file: UniqueKEYForGruja.Nuclear.Information
Please not delete this note!
Good luck.
###ENYBENY NUCLEAR###
[random characters represent your ID]'

The EnyBeny Ransomware supposedly creates a unique key and, because of its poor implementation, there is no way for the victims to carry out the EnyBeny Ransomware's demands or follow its instructions. However, in the case of all ransomware Trojans, computer users should still refrain from contacting the criminals or attempting to negotiate a ransom, since these criminals may not have any intention or helping the victims of these attacks to recover.

Protecting Your Data from Threats Like the EnyBeny Ransomware

Once the EnyBeny Ransomware has carried out its attack, the victim's files will be lost completely. This is what makes the best protection against threats like the EnyBeny Ransomware to have the means to restore any compromised data. The malware researchers' recommendation is that computer users have backup copies of their data and that these backup copies should be stored on external devices.

Update November 16th, 2018 — EnyBeny-Revenge Ransomware

The emerging EnyBeny-Revenge Ransomware marks a relatively small update to the EnyBeny Ransomware family. The EnyBeny-Revenge Ransomware is classified as a variant of the original cyber-threat that exhibits minimal changes. The name of the Trojan refers to the most notable modification applied to the original program. The threat transitions from adding the '.Nuclear' file marker to adding the '.EnyBenied!' extension. Also, the new variant connects to different Command and Control servers. The Trojan is dropped to the Temp directory, and one of the first operations it performs is to delete the Shadow Volume snapshots, and the System Restore points to obstruct potential data recovery attempts. The next stage in the EnyBeny-Revenge Ransomware attack is to have the user's data encrypted and renamed. For example, 'Hanggai-Dink's Song.mp3' is renamed to 'Hanggai-Dink's Song.mp3.EnyBenied!' Researchers dubbed the Trojan as the EnyBeny-Revenge Ransomware since the ransom note — 'ENYBENY.TXT' features the following:

'###ENYBENY REVENGE###
Great! You a member #Enybeny community, and all your files has been encrypted!!
Encryption - reversible modification,
created for protect all your files
You can buy decryptor - price 0.00000001 BTC
For decrypt contact with:
filekerk@tutanota.com
OR
yougame@protonmail.com
Free decryption as guarantee (1 file, size not 1 mb)
And for free(or not) decryption please send file: UniqueKEYForGruja.EnyBenied.Information
Please not delete this note!
Good luck.
###ENYBENY REVENGE###'

Also, the threat changes the desktop background to a white image with black text on top that says 'enybeny revenge All your files have been encrypted!' The threat uses 'ENYBENY.png' from the Temp directory to change the user's desktop background before proceeding to self-destruct. Data recovery is impossible without the decryption key, which may be offered to you for sale via the 'filekerk@tutanota.com' and the 'yougame@protonmail.com' email accounts. Before you contact the EnyBeny-Revenge Ransomware creators, you should take into consideration that you may not receive a decoder even if you pay. It is best to use backup images and file hosting services to rebuild your files structure. Detection names associated with the EnyBeny-Revenge Ransomware include:

Artemis!15A1836E6593
Ransom:Win32/Genasom
TR/Ransom.wqskh
TROJ_GEN.R002H0CKG18
Trojan.Ransom.REntS.Gen.1
W32/Trojan.VGFV-5044
Win32/Trojan.Ransom.ec8
Win32:Trojan-gen
a variant of MSIL/Filecoder.IX
malicious.e65934
malicious_confidence_80% (W)

Update December 3rd, 2018 — EnyBeny-Cristmas Ransomware

The EnyBeny-Cristmas Ransomware is one of the new variants in the EnyBeny Ransomware to be registered at the end of 2018. The EnyBeny-Cristmas Ransomware was reported three weeks before Christmas, and we might see new variants before it is time to set up the Christmas tree. The EnyBeny-Cristmas Ransomware is categorized as a minor update to the EnyBeny Ransomware following the discovery of the EnyBeny-Revenge Ransomware. The new variant is identical to earlier releases in terms of distribution and incorporated encryption standards. The only major change in EnyBeny is the use of the '.Cristmas@india_com' extension for marking the encrypted data. The EnyBeny-Cristmas Ransomware switched to using an email account as the file marker, but the ransom note remains the same. For example, 'The Qiang peoples.pptx' is renamed to 'The Qiang peoples.pptx.Cristmas@india_com.' The ransom message is enclosed in the 'ENYBENY.TXT' and reads:

'–*–*–*–|EnyBeny CRISTMAS|–*–*–*–
Great! You a member 2019 New year #Enybeny community
Encryption algorytm – AES-128 with unique 32 symbols, virus
created for protect all your files
You can buy decryptor – price 0.00000001 BTC
For decrypt contact with:
desktopman228@india.com
OR
care_nlm@tutamail.cc
Free decryption as guarantee (1 file, size not 1 mb)
And for free(or not) decryption please send file: UniqueKEYForadmin.personal.5RGR0X38VJHLELB.Cristmas@india_com.info
Please not delete this note!
Good luck.
–*–*–*–|EnyBeny CRISTMAS|–*–*–*–
P.S If you deletes all copies of key, create file UniqueKEYForadmin.personal.5RGR0X38VJHLELB.Cristmas@india_com.info contains:
——BEGIN ENYBENY KEY——-
[random characters]
——-END ENYBENY KEY——
Your personal id: [random characters]'

The EnyBeny-Cristmas Ransomware uses the same encryption that standard companies like Google Inc., and Facebook Inc. employ to secure the user’s data and messages. It is not viable to decode the encrypted files without a suitable decryptor and key. Some users may be tempted to write to 'desktopman228@india.com' and 'are_nlm@tutamail.cc,' but that is not a good idea. There is no guarantee that paying whatever decryption fee is requested of you would convince the threat actors to hold their end of the deal. It is better to eliminate the EnyBeny-Cristmas Ransomware with the help of a reputable anti-malware solution and use data backups to recover from the attack. AV developers use the following alerts for the EnyBeny-Cristmas Ransomware:

Generic.Ransom.Small.5C136167
Generic.Ransom.Small.5C136167 (B)
HEUR:Trojan-Ransom.MSIL.Crypren.gen
MSIL/Filecoder.IX!tr
Ransom.Genasom!8.293 (CLOUD)
TR/Ransom.feief
TROJ_GEN.F0C2C00L318
Trojan ( 0052dbd31 )
Trojan.Win32.Small.4!c
Win32/Trojan.5a2
a variant of MSIL/Filecoder.IX

Related Posts

Trending

Most Viewed

Loading...