What is Exorcist 2.0?
Exorcist 2.0 is a new variant of Exorcist- file encrypting malware. It is categorized as a Ransomware threat that encrypts files on the system and restricts users from accessing them. The malware uses encryption algorithm to encrypt the files and appends with random extension. After encryption process is complete, it creates a file of “HTA” extension which when clicked opens a ransom note. Apart from that, the Exorcist 2.0 ransomware creates a separate “key file” for each of the encrypted file.
For example, a file named as “mypic.jpg” will be renamed after encryption as “mypic.jpg.fbqWlh” and many such.
Exorcist 2.0 Ransomware Description
|Name||Exorcist 2.0 ransomware|
|Type||Ransomware, file-encrypting malware|
|Description||Exorcist 2.0 is a ransomware program that encrypts files, photos, videos and other important documents on the target system with unique key. If user wants to recover their files then have to pay the ransom.|
|Occurrence||Opening spam email attachments, Visiting suspicious pages and clicking on malicious links, Browser Redirection to questionable sites or via other Trojans.|
|Symptoms||Restrict access to most of the files on the system, Change in desktop wallpaper, ransom message.|
|Extension||random extension of 5 characters like fbqWlh|
|Ransom Note||.hta (HTA) file, Pop-up window on the desktop screen|
|Ransom Demanded||$300 (In Bitcoin)|
|Email or contact||TOR website|
Download the Anti-ransomware tool– To quickly eliminate Exorcist 2.0 Ransomware from your computer.
Method Of Propagation
Exorcist 2.0 ransomware may use various distribution tactics to spread its payload. However, the main infection vector is the payload-dropper within spam email attachments. Usually, the mails are subjected as any invoice, fax, job offers or from any higher officials of the company. Also, the situation of CONVID-19 crisis, it ,may also spread spam email related to any latest information about the pandemic to trick users opening the spam emails.
So, once the user opens the infected attachment, the macro-enabled document starts automatically running the macros. This downloads the infectious files on the system and further install it on the system.
Other than that, the malware may spread along with malicious scripts laden with payloads of the virus on compromised websites. Social media links, software cracking tools, other Trojans as well as peer-to-peer sharing are other reasons you may be infected with Exorcist 2.0 Ransomware.
The Encryption Process
Upon successful installation, the Exorcist 2.0 runs an encryption algorithm to lock the files with a unique key. Typically, it targets all types of documents, photos, videos, apps on the system.
As mention above, the motive behind is to demand the ransom to be paid in order to buy the decryption key from the authors of the threat. After encryption, the files are replaced with “random 5 characters” extension, the full pattern of the encryption is “originalfilename.random 5 characters” extension.
For example, if a file named “home.jpg” would appear as “home.jpg.fbqWlh“. Thus all the files will be replaced likewise which will be no more accessible. After the completing the encryption, it generates a ransom note containing the contact details of the authors along with unique ID for the victim.
The Ransom Note
After the encryption is completed, the ransomware creates a random note to inform users about the encryption and how they can recover their files. The note is dropped with a HTA file which can be found in each of the folder where encryption occurred and within the desktop screen.
The Text within the Ransom Note is:
All your data has been encrypted with Exorcist 2.0 Ransomware.
Do not worry: you have some hours to contact us and decrypt your data by paying a ransom.
If you don’t pay in time, price will be increased. Then, if the payment is still not received, your keys will be destroyed.
To do this, install Tor Browser (here: hxxps://www.torproject.org/download/) and follow instructions on this web site: hxxp://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/
IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data!
Here are few point concluded from the ransom note:
- The files on the system including photos, databases, documents and are encrypted system with unique key;
- The victims can only recover them back by paying ransom to the authors and buying the decryption key from them;
- To contact the authors, users need to install the TOR browser and visit the given website address.
How To Remove Exorcist 2.0 Ransomware virus Without Paying Ransom
To Remove Exorcist 2.0 Ransomware From Windows System, Follow the steps:
- Method 1. Remove Exorcist 2.0 Ransomware Virus Using Safe Mode With Networking.
- Method 2. Remove Exorcist 2.0 Ransomware Using System Restore.
Method 1: Remove Exorcist 2.0 Ransomware Virus Using Safe Mode With Networking.
In this guide, you will find removal instruction of Exorcist 2.0 Ransomware virus both manually and using anti-malware tool. However manual removal of ransomware threats are nearly impossible, so it is better to run a scan with anti-ransomware/malware to remove the virus.
For Windows XP and 7:
- Click on the “Start menu“, then on click the arrow next to “Shut Down.” Select Restart. (Just as you normally Restart your PC).
- Once the computer screen is powered on, immediately start tapping “F8” key till you see “Advanced Boot Options” screen. if you don’t enter to the boot screen, then restart the process again and press F8 while the PC is restarting.
- Here, you need to choose “Safe Mode with Networking“ option and press “enter” key to troubleshooting windows. As later on, you need to access the internet.
- And you will now see the login screen. Now log in with your Administrator Account.
NOTE: To get back to your normal windows configuration, you need to repeat steps 1-3 and select Start Windows Normally.
For Windows 10:
Click Start –> Power and then hold the Shift key on your keyboard and click Restart.
For Windows 8/8.1:
Press the “Windows key + C“, and then click “Settings“. Click “Power“, hold down the Shift key on your keyboard and then click “Restart“.
- From here steps are same for Windows 10 and 8.
- Click “Troubleshoot”.
- Click Advanced options.
- Click Startup Settings.
- Click Restart.
- After your computer restarts, select Safe Mode with Networking.
- Enter your Administrative username and password to start Windows in Safe Mode with Networking.
NOTE: To get back to normal Windows configuration you need to Click Start –> Power and then click Restart.
Now, you need to search for files related with Exorcist 2.0 Ransomware and delete them. However, manually finding and deleting them is impossible. And it may also affect your other files. Also, such threat are clever hide many files that makes removal a tricky process. Therefore, the safest way to get rid of such malware is to use a reliable ransomware malware removal program. So, we recommend HitmanPro.Alert that comes with anti-ransomware detection.
Use HitmanPro.Alert To Remove Exorcist 2.0 Ransomware(Recommended)”
HitmanPro.Alert is an advanced anti-malware program along with anti-ransomware features. That helps detecting the encrypted files and presence of any ransomware threats. Running HitmanPro.Alert on your computer will provide your real-time status, checks the browser integrity and alerts or any suspicious activity. So that you can have a safe browsing and online transactions. Read the full review of HitmanPro.Alert here.
- Click on the provided link to download HitmanPro.Alert anti-malware;
- Now, open the download folder to locate “hmpalert3”;
- Click on it, to begin the installation;
- It will ask your User Account control, if prompted click on “yes”; The download should begin shortly. HitmanPro.Alert window will appear, where you need to choose the options:
- Choose Protection level as Maximum
- And tick the other boxes and finally click on “Install”.
- HitmanPro.Alert only takes 5MB of your memory and is very quick to install.
- After the installation is complete, the scan will start. First scan may take up some minutes, as it will scan the whole computer.
- The scan results are here. Carefully look down the list. You can here, the scan has found 1 Riskware and thousands of traces which can be risky.
- You can select the threat to delete, quarantine, ignore or, mark as safe. If you want to remove all the threats, then simply click on the “Next” button below.
- HitmanPro.Alert first creates a restore point and then starts the removal process. This helps to recover from any damage.
So, by performing the above steps, you can get rid of Exorcist 2.0 Ransomware.
Method 2: Remove Exorcist 2.0 Ransomware virus using System Restore Procedure
Another method is a manual way to get rid of Ransomware which is through System Restore. If you don’t know much about this process, then read here. Click here to perform System Restore in Windows OS.
Safe Mode with Command Prompt (Follow the above steps and choose Safe Mode with Command Prompt option from boot settings
To Reboot your computer to “Safe Mode with Command Prompt”
Windows 7 / Vista / XP
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart.
- Now select Troubleshoot –> Advanced options –> Startup Settings and finally press Restart.
- Once your computer becomes active, select “Enable Safe Mode with Command Prompt” in Startup Settings window.
Windows 10 / Windows 8
- Click Start –> Restart –> OK.
- When your computer becomes active, start pressing “F8″ multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
To Restore your system to default settings as it was prior to the attack of Exorcist 2.0 Ransomware
- Once the Command Prompt window appears, type “cd restore” and press Enter.
- Now again type “rstrui.exe” and hit Enter button;
- It will show up a new window, now click on “Next”.
- Then, select your restore point that should be prior to the attack of Exorcist 2.0 threat or any other point you want. Click on “Next”.
- Now click on “Yes” to confirm the system restore.
Once the system restore to your selected date is done, then you need to restart your computer normally.
You should Download effective anti-virus program and scan your computer to ensure successful removal of any threat.
Alternative Software Recommendation
As a protection to your computer against Ransomware threat, we recommend Ransomware Defender, that is a dedicated tool to prevent ransomware attacks.
Ransomware Defender- A Comprehensive Protection Against Ransomware Threats
This tool specifically designed to detect and block most of the ransomware threats prior to it makes any changes to the system. It not only blocks the threats, but also stops it completely with its pro-active mechanism.
Once installed, the Ransomware Defender will automatically Scan > Detect > Lock Down any malicious entry to the system. What we like about this tool, it works along with the primary antivirus programs without interrupting it. Read Full Review and Installation Guide
How to Restore the Encrypted Files by Exorcist 2.0 Ransomware?
Here is a separate article that guides users of various methods to recover their encrypted files. However, the ransomware makes sure the files may not be unlocked by other tools, but you should try them out.
Click here to know How you can restore the encrypted file.