Home / Spyware Help / SOREBRECT Ransomware Removal Guide

SOREBRECT Ransomware Removal Guide

by 0 Comments

Do you know what SOREBRECT Ransomware is?

The creators of ransomware infections are using more and more different approaches when it comes to the distribution. SOREBRECT Ransomware is the latest threat to prove that. This infection has been found spreading by exploiting PsExec and Remote Desktop Protocol (RDP) backdoors. Once the infection is in, it wreaks havoc by encrypting personal files and stopping hundreds of different services. Some of them include “dbupdate,” “WseEmailSvc,” “WSS_ComputerBackupSvc,” “CobianBackup11,” and “Browser.” Of course, the victims of this ransomware are unlikely to focus on the latter once they realize that their files are encrypted. According to the ransom note that the infection displays, an AES-256 key is used for the encryption of files, and an RSA-2048 key is used for the encryption of a private key. Due to this, the decryption of your files becomes extremely complicated, and, unfortunately, you cannot fix that by deleting SOREBRECT Ransomware.

The first thing you are likely to discover after the malicious SOREBRECT Ransomware slithers in is the ransom note file called “!!! READ THIS - IMPORTANT !!!.txt”. Needless to say, at this stage, there is nothing that can be done to stop the encryption because it has already been completed. Before that, the infection looks for certain types of files. It also evades some of them. Naturally, this infection does not encrypt Windows files, and it circumvents all .dll, exe, .lnk, and .sys files as well. Once the encryption is performed, the threat appends the “.aes_ni_0day” extension to their names, which is why this threat is usually known by the name “AKA AES-NI Ransomware.” Our research team has also found that the infection creates a key in the Windows Registry to display the so-called Legal Notice when the user logs in. If this registry key is activated, you will see this message when you are logging in:

Dear Owner. Bad news: your server was hacked. For more information and recommendations, write to our experts by e-mail. When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software

Although SOREBRECT Ransomware is a file-less infection (it injects svchost.exe with its own service before removing itself from the computer), it places multiple copies of the ransom note to make the demands clear. According to them, the only way for you to recover your files is to contact cyber criminals at 0xc030@protonmail.ch, 0xc030@tuta.io, or aes-ni@scryptmail.com. When you do that, you should get a response with further instructions demanding a payment for a decryption key or tool. This is why the threat is classified as a ransomware (i.e., malware that demands a ransom). It is suggested that if no response is issued within 48 hours, the victim of SOREBRECT Ransomware should communicate via BitMsg at BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN. Is it possible that you will be able to decrypt your files after communicating with cyber criminals and paying the ransom? Although it is technically possible, you should not put your hopes up. It is more likely that the exchange will be unfair.SOREBRECT Ransomware Removal GuideSOREBRECT Ransomware screenshot
Scroll down for full removal instructions

If SOREBRECT Ransomware has invaded your operating system, the chances are that you will not be able to recover your files. Hopefully, you had thought of the risk beforehand, and your files are safely backed up. Since the infection can disable services associated with system backups, not all backup options might work, but if your files are stored on external drives or online, you should be able to recover them. Of course, do so after you remove SOREBRECT Ransomware. Speaking of removal, although this infection erases itself, you still need to clean your PC, and the guide below should help you. An anti-malware tool can delete the remaining components automatically, and that is not the only reason we suggest using it. Since more and more ransomware infections emerge, you need all the protection you can get, and reliable anti-malware software can help you a lot.

Delete SOREBRECT Ransomware

  1. Launch Windows Explorer (tap Win+E keys).
  2. Enter %HOMEDRIVE% into the bar at the top to access the directory.
  3. Delete the file named $RECYCLE.BIN.
  4. Also, Delete the file named !!! READ THIS - IMPORTANT !!!.txt (note that it might have many copies).
  5. Launch RUN (tap Win+R keys) and enter regedit.exe into the dialog box.
  6. In Registry Editor move to HLKM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\.
  7. Delete the key named LegalNoticeText.
  8. Finally, Empty Recycle Bin to get rid of the malicious ransomware.

In non-techie terms:

Even if you remove SOREBRECT Ransomware from your PC as soon as you discover that your files were encrypted, you will not be able to save them. Once the files are encrypted, they become unreadable, and it is unlikely that you can change that. What about the ransom? You should be introduced to a ransom when you email the creator of the ransomware as instructed via the ransom note. Even if it is promised that a decryptor would be provided to you if you paid it, you must understand that the promises made by unreliable cyber criminals are not to be trusted. Whether or not you get your files back, deleting the ransomware is crucial, and we suggest employing anti-malware software to help you out. If you choose to follow the guide above, do not forget about your system’s security vulnerabilities that could be exploited for the infiltration of other infections in the future.