Imsorry Ransomware is an encrypting ransomware that was discovered recently by MalwareHunterTeam. It encrypts users’ files using AES and RSA encryption algorithms and demands a ransom. Is it possible to restore the files without paying the ransom? How to get rid of the malware completely? Read on and you will find the answers.
|Threat Name||ImSorry Ransomware, Im Sorry Ransomware or .imsorry rasomware|
|Affected systems||Windows operating systems|
|Behaviors||Encrypt files with the extension “.imsorry” added to the filenames;
Demand a ransom payment to get files back.
|Distribution Methods||Spread via spam emails that contain malicious attachments or links|
|Removal Sulotion||Some regular antivirus programs may fail to detect ImSorry Ransomware, so it is highly recommended that you use a specialized tool to find and delete all files related to this threat.|
Imsorry Ransomware is a type of malware that blocks access to users’ files, appending the .imsorry file extension to them, and demands a ransom of 500 USD. For instance, the image file ‘1.jpg’ is renamed to ‘1.jpg.imsorry’ once it is encrypted. This malware creates a ‘Read me for help thanks.txt’ file in each folder containing encrypted files so that the victims can follow the instructions given to pay the ransom and get their files back.
Screenshot of the files encrypted by the ransomware:
The files targeted by the ransomware may include the following: (These files are usually important images and documentation)
“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG .CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”
The messages in the ‘Read me for help thanks.txt’ text file tell users what happened to their files and how to pay the ransom to decrypt files. Interestingly, it seems that the ransomware apologies for its file encryption and ransom demand as expressed in the ransom note. But if you feel sorry that much, why are you still doing that? The malware states that users’ files have been encrypted and they have to buy bitcoin and send the payment of $500 to the BTC address given within 3 weeks so as to get the files back. It threatens that it may delete the encryption key if the payment is not received. As file encryption requires a unique key, a user’s files will be lost forever if his key is deleted permanently.
Similar to PEC 2017 Ransomware, Jaff Ransomware and HTRS Ransomware, ImSorry Ransomware uses aggressive AES and RSA encryption algorithms to block the access to users’ data and it’s impossible for them to decrypt the files manually. So far, there is still no free encryption tool for this ransomware and the victims can only restore their files encrypted by ImSorry Ransomware from backups they have made before or by paying the ransom.
It’s suggested that users’ don’t send the payments to cybercriminals because there is no guarantee that the encrypted files will be decrypted once the cybercriminals get paid. Research shows that many victims receive nothing after they pay the ransom and their files are still encrypted. Moreover, cybercriminals may be encouraged to develop more variants of the ransomware or other malware to earn more money. Thus, we do not suggest you pay the ransom and what you can do now is to remove the ransomware and wait for a free decryptor to be released.
How does ImSorry Ransomware spread?
Usually, ransomware can be distributed by methods including spam emails, security exploits in vulnerable software, drive-by downloads, malicious websites or legitimate websites that have been compromised or hacked, malvertising campaigns and so on. For example, the recent worldwide cyberattack – WannaCry ransomware propagates using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol. It can be also spread via spam emails that contain harmful content.
Imsorry Ransomware is typically spread and delivered through malicious email attachments. It can be packaged with installation files masquerading as official software updates or fake PDF files, phony FedEx and UPS notices, fake Amazon order dispatch or curriculum vitae in spam emails, etc.
If you visit a website and click on the updates for Chrome, Adobe Acrobat, Java and Flash Player, you’ve probably come across some of the ads used to distribute malware, sometimes may be ransomware. The attachments contained in spam emails are also exploited to spread the ransomware. The email messages usually trick you into opening the attachments so that the malware can be downloaded and executed on the targeted machine.
How to remove ImSorry Ransomware from your PC?
As mentioned above, no free decryption tool for ImSorry Ransomware is available now. But you can download and install a specialized tool to detect and remove the malware thoroughly so that no more new files will be encrypted. The guide below shows you how to enter safe mode with networking and download the malware removal tool to clean up the infections.
Step1: Enter safe mode with networking.
In safe mode, only the most basic files and drivers necessary to run Windows, such as the operating system and drivers for the mouse, keyboard, and display modes display, are started. Safe Mode with Networking starts Windows in safe mode and includes the network drivers and services needed to access the Internet or other computers on your network. When you computer has malware infections but you want to download a new anti-malware program, try to boot the PC in safe mode with networking and the download the security tool.
(The following steps applies to Windows 10/8/8.1/7/Vista/XP.)
To do this, you need to
Press Windows key +R key on the keyboard to open the Run dialog.
Type msconfig and launch the System Configuration utility.
In the System Configuration main screen, go to the Boot tab, check the box of Safe boot and then choose the type of Safe Mode that you want to achieve in the Boot options section and click on Apply button.
A pop-up window will appear and ask you to restart or not. If you want to restart now, click on Restart button. If not, click on Exit without restart button.
If you click on Restart button, the system will restart in safe mode immediately. Choosing Exit without restart option will cause your PC to restart in safe mode with networking at the next restart.
Note: If your problem gets solved and you want to boot into the normal mode, just launch the System Configuration tool and uncheck Safe boot box and click Apply.
Step2: Download ImSorry Ransomware removal tool
It’s not easy to find and delete all the files associated with the ransomware manually. To find and get rid of the malware completely, we strongly suggest you download and install a professional anti-malware program to scan for the threats and clean up them automatically. The recommended software below is able to detect and remove the infection quickly and thoroughly with only a few clicks of the mouse.
- Download SpyHunter setup file on a safe computer which is not infected.
- Copy the downloaded file to your computer and then run it on your PC. When a dialog box pops up as below, click the Run button.
- Select the language you prefer and click the OK button.
- Click CONTINUE to proceed.
- Click I accept the EULA and Policy and click the INSTALL button.
- Now SpyHunter is being installed on your PC. Just for a few time.
- Once SpyHunter is successfully installed on your PC, click the FINISH button.
- Usually, the tool will scan the system for malware automatically once the installation is completed. Before scanning the system, make sure it has been updated to the latest version. On its main screen, click the Scan Computer Now button to do a full system scan.
- SpyHunter now will start scanning the entire system for any existing threats.
- When the scanning is done, SpyHunter will show you all detected threats. Click the Fix Threats button if you want to remove all found threats.
- Please note that SpyHunter is a free virus scanner. You need to purchase the full version to completely delete the detected files of ImSorry Ransomware from your PC, restart your PC.
In addition to the steps above, you can also do a system restore to remove the ransomware manually. Learn How Can You Restore Your System to An Earlier State?
Tips to prevent ransomware like ImSorry Ransomware
Here are some ways to protect yourself from ransomware.
Remember to back up your files regularly
To take preventive measures, we suggest you back up all of the information and files on your devices using an external hard drive that isn’t connected to the internet. If your computer is infected with the ransomware, you don’t have to pay the ransom because you can recover the files with the backup.
Be cautious of spam emails, malicious websites and pop-ups
Since the ransomware is commonly delivered through spam emails, malicious adverts on websites, and questionable apps and programs, you need to be very careful when surf the web and never open the links or attachments in spam emails sent by strangers or even from your friends unless you are sure it’s 100 percent safe. Don’t visit the malicious websites like porn sites or click on the pop-up ads displayed there.
Download and install updates
You’d better download and install software updates to fix vulnerabilities in time. The vulnerabilities in software or Windows may be exploited by hackers to spread ransomware like Imsorry ransomware. So remember to keep your software updated to prevent the malware.
Download antivirus programs on your PC
Many anti-malware programs can effectively find and remove cyber infections from your PC. They can help block malicious websites when you are surfing the web and safeguard your system against various viruses, Trojans and other malware. It’s necessary to download an advanced anti-virus program on your PC.