777decoder777 Virus (MedusaLocker Ransomware) Removal

Written by Brendan Smith
777decoder777 is a brand-new ransomware called MedusaLocker is being proactively dispersed as well as victims have been seen from throughout the world. It is not known at this time, exactly how the cyber-criminals are distributing this infection.

What is MedusaLocker?

MedusaLocker is a piece of malicious software, classified as ransomware

The 777decoder777 ransomware is most commonly spread by means of a payload dropper. It runs the malicious script that eventually installs the file virus. The threat circulates actively on the web, considering the facts about the ransomware mentioned in the VirusTotal database. The 777decoder777 ransomware may also promote its payload files through popular social networks and via file-sharing platforms. Alternatively, some free applications hosted on many popular resources may also be disguised as helpful tools, whereas they instead may lead to the malicious scripts that injected the ransomware. Your personal caution to prevent the 777decoder777 virus attack matters a lot!

777decoder777 ransomware is a infection that encrypts your data and presents a frustrating ransomware notice. Below is the screenshot depicting the ransomware note:

All your data are encrypted!

All your data are encrypted!

Quotation of the RECOVER_INSTRUCTIONS.html scary message:

All your data are encrypted!

What happened?
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.

For purchasing a decryptor contact us by email:
777decoder777@protonmail.com
If you will get no answer within 24 hours contact us by our alternate emails:
777decoder777@tfwno.gf

What guarantees?
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:

[XXXXX]

Attention!

- Attempts of change files by yourself will result in a loose of data.
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data.
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.

777decoder777 – How did I get MedusaLocker?

When the MedusaLocker ransomware is mounted to your PC, it will do different startup routines to prepare your computer for encryption
Step 1

MedusaLocker will create the Registry value EnableLinkedConnections under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key and also established it to 1. This is done to make certain mapped drives come also in a UAC launched process.

Step 2

Next, ransomware will restart the LanmanWorkstation service in order to make certain that Windows networking is running which mapped network drives come.

Step 3

MedusaLocker will seek as well as end the complying with procedures in order to shut down security programs and to make certain all data files are closed and easily accessible for encrypting:

wrapper, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, sqlservr, sqlagent, sqladhlp, 
Culserver, RTVscan, sqlbrowser, SQLADHLP, QBIDPService, Intuit.QuickBooks.FCS, 
QBCFMonitorService, sqlwriter, msmdsrv, tomcat6, zhudongfangyu, SQLADHLP, 
vmware-usbarbitator64, vmware-converter, dbsrv12, dbeng8, wxServer.exe, 
wxServerView, sqlservr.exe, sqlmangr.exe, RAgui.exe, supervise.exe, Culture.exe, 
RTVscan.exe, Defwatch.exe, sqlbrowser.exe, winword.exe, QBW32.exe, QBDBMgr.exe, 
qbupdate.exe, QBCFMonitorService.exe, axlbridge.exe, QBIDPService.exe, httpd.exe, 
fdlauncher.exe, MsDtSrvr.exe, tomcat6.exe, java.exe, 360se.exe, 360doctor.exe, 
wdswfsafe.exe, fdlauncher.exe, fdhost.exe, GDscan.exe, ZhuDongFangYu.exe
Step 4

Finally, it gets rid of the Shadow Volume Copies to ensure that they can not be made use of to bring back files, gets rid of back-ups made with Windows back-up, and also disables the Windows automatic start-up repair work making use of the complying with commands:

vssadmin.exe Delete Shadows /All /Quiet
wmic.exe SHADOWCOPY /nointeractive
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
wbadmin DELETE SYSTEMSTATEBACKUP
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
Step 5

MedusaLocker will currently begin to scan the computer’s drives for files to encrypt. When encrypting documents, it will miss all data that have the extensions.exe,. dll,. sys,. ini,. lnk,. rdp,. encrypted (or other expansion utilized for encrypted files) in addition to data in the adhering to folders.

USERPROFILE
PROGRAMFILES(x86)
ProgramData
\AppData
WINDIR
\Application Data
\Program Files
\Users\All Users
\Windows
\intel
\nvidia

When encrypting documents, it will use AES file encryption to encrypt the data and afterwards the AES key will be encrypted by a RSA-2048 public key consisted of in the virus executable.

For every data that is encrypted, it will add among the adhering to extensions depending on the version of the ransomware.

  • .encrypted
  • .bomber
  • .boroff
  • .breakingbad
  • .locker16
  • .newlock
  • .nlocker
  • .skynet

When done, the ransomware will rest for 60 secs and afterwards scan the drives again for new files to encrypt.

When mounted, this ransomware will likewise duplicate itself to %UserProfile%\AppData\Roaming\svchostt.exe and also create a scheduled job that releases the program every 30 mins in order to continue to be resident.

Remove MedusaLocker Virus

Reasons why I would recommend GridinSoft1

There is no better way to recognize, remove and prevent ransomware than to use an anti-malware software from GridinSoft2.

Download GridinSoft Anti-Malware.

You can download GridinSoft Anti-Malware by clicking the button below:

Run the setup file.

When setup file has finished downloading, double-click on the install-antimalware-fix.exe file to install GridinSoft Anti-Malware on your PC.

Run Setup.exe

An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.

GridinSoft Anti-Malware Setup

Press “Install” button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware will automatically start scanning your computer for 77decoder777 infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.

GridinSoft Anti-Malware Scanning

Click on “Clean Now”.

When the scan has completed, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.

GridinSoft Anti-Malware Scan Result

How to decrypt MedusaLocker files?

It is not understood at this time just how much the aggressors are requiring for a decryptor or if they actually supply one after paying.

This ransomware is still being looked into, so it is not known if it can be decrypted currently.

In the meantime, if you have any kind of inquiries or require help with this ransomware, you can leave a comment right here

What the next?

If the guide doesn’t help you to remove 777decoder777 infection, please download the GridinSoft Anti-Malware that I recommended. Also, you can always ask me in the comments for getting help.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

References

  1. GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
  2. More information about GridinSoft products: http://gridinsoft.com/products/

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.