This week, computer security specialists has received reports of yet another variant of the Locky ransomware called Asasin. This ransomware virus spreads via spam emails and malware files and appends the .asasin extension to encrypted files.
The Asasin ransomware virus uses a strong encryption algorithm with 2048-bit key. When the ransomware virus encrypts a file, it will add the “.asasin” extension to every encrypted file. Once the ransomware virus finished enciphering of all documents, photos and music, it will create two files called asasin.htm and asasin.bmp with instructions on how to decrypt all photos, documents and music.
The ransom instructions offers victim to contact Asasin’s makers in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. Especially since you have a chance to recover your files for free using tools such as ShadowExplorer and PhotoRec.
Use the step-by-step guide below to remove Asasin Locky ransomware and try to restore encrypted files.
Table of contents
- What is Asasin Locky ransomware
- How to decrypt .asasin files
- How to remove Asasin ransomware
- How to restore .asasin files
- How to prevent your system from becoming infected by Asasin virus?
- How does your computer get infected with Asasin ransomware virus
- Finish words
What is Asasin Locky ransomware
The Asasin is a new variant of the Locky crypto virus (malware which encrypt personal files and demand a ransom). It affects all current versions of Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key which will allow to decrypt encrypted photos, documents and music.
When the ransomware infects a system, it uses system directories to store own files. To run automatically whenever you turn on your system, Asasin ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.dxg, .hkdb, .3fr, .wbz, .xll, .lrf, .2bp, .mddata, .t13, .accdb, .raf, .db0, .wgz, .apk, .py, .rb, .zi, .m2, .rgss3a, .litemod, .sql, .ibank, .js, .kdb, .png, .xdl, .wp4, .wpd, .wri, .xld, .sidn, .jpg, .pdd, .wpe, .ybk, .srf, .orf, .zip, .x, .w3x, .webp, .3dm, .arw, .wmv, .wsd, .cas, .sum, .psk, .odt, .svg, .epk, .iwd, .rim, .forge, .menu, .tax, .mdf, .mrwref, .der, .xlk, .iwi, .3ds, .wp6, .csv, .ai, .wpb, .txt, .wpl, wallet, .wsc, .vcf, .wbd, .gdb, .xls, .xx, .odm, .xlsb, .x3d, .blob, .ltx, .wdb, .gho, .dbf, .dng, .odb, .bkf, .wbmp, .pkpass, .xwp, .bay, .t12, .pak, .mlx, .webdoc, .xyp, .rwl, .bc6, .jpeg, .jpe, .sidd, .z, .docm, .kdc, .pst, .sb, .wp, .xyw, .ptx, .hkx, .wma, .zip, .big, .pdf, .arch00, .sav, .vdf, .lbf, .xxx, .1, .eps, .ods, .snx, .ysp, .dazip, .xbplate, .xlsx, .wsh, .psd, .mp4, .m3u, .mdb, .dba, .sie, .xdb, .wmd, .itdb, .syncdb, .bsa, .wma, .xls, .wps, .vpp_pc, .wot, .z3d, .fos, .pef, .xlsm, .ws, .raw, .rtf, .nrw, .wpt, .hvpl, .rar, .wmv, .wbc, .pptm, .wire, .p7b, .erf, .x3f, .dwg, .ncf, .xlgc, .asset, .crt, .yal, .vtf, .yml, .icxs, .wbm, .cr2, .ff, .map, .7z, .wp7, .wbk, .cdr, .flv, .zdb, .r3d, .wotreplay, .odc, .p12, .wdp, .wpw, .xlsx, .bc7, .wpg, .zdc, .p7c, .rw2, .qic, .bik, .1st, .css, .layout, .xlsm, .odp, .wmf, .vfs0, .wm, .indd, .xpm, .wmo, .zw, .srw, .crw, .lvl, .wp5, .ppt, .wps, .wn, .d3dbsp, .xmmap, .das, .re4, .desc, .hplg, .wpa, .bkp, .mef, .itl, .avi, .y, .wb2, .sis, .zabw, .kf, .dmp, .zif, .qdf, .fsh, .sid, .xar, .xf, .xmind, .ztmp, .pptx, .xbdoc, .x3f, .rofl, .bar, .m4a, .sr2, .fpk, .0, .tor, .mdbackup, .wav, .itm, .cer, .mov, .ntl, .docx, .mpqge, .vpk, .xy3, .pfx, .wcf, .upk, .dcr, .xml, .doc, .slm, .pem, .mcmeta
Once a file is encrypted, its extension modified to .asasin. Next, the virus creates two files named asasin.htm and asasin.bmp. These files contain an instructions on how to decrypt all encrypted documents, photos and music. An example of the instructions is:
IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
4. Follow the instructions on the site.
!!! Your personal identification ID: !!!
The Asasin ransomware virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransomnote on the desktop. It is trying to force the user of the infected machine, do not hesitate to pay a ransom, in an attempt to restore their files.
How to decrypt .asasin files
Currently there is no available way to decrypt asasin files, but you have a chance to restore encrypted photos, documents and music for free. The ransomware repeatedly tells the victim that uses a hybrid AES + RSA encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the Asasin ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the makers of the Asasin ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.
How to remove Asasin ransomware
The Asasin ransomware virus can hide its components which are difficult for you to find out and get rid of completely. This can lead to the fact that after some time, the ransomware virus once again infect your personal computer and encrypt your personal files. Moreover, I want to note that it is not always safe to remove ransomware virus manually, if you do not have much experience in setting up and configuring the MS Windows operating system. The best way to look for and remove Asasin ransomware is to use free malware removal applications that are listed below.
To remove Asasin Locky ransomware, use the free utilities listed below:
- How to remove Asasin with Zemana Anti-malware
- Run Malwarebytes to remove ransomware
- Scan and clean your PC system of virus with KVRT
How to remove Asasin with Zemana Anti-malware
We suggest you to run the Zemana Anti-malware which are completely clean your PC system of this virus. Moreover, the tool will allow you to remove potentially unwanted software, malicious software, toolbars and adware that your PC can be infected too.
Download Zemana Free on your Microsoft Windows Desktop by clicking on the link below.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
When downloading is finished, close all programs and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as displayed in the figure below.
When the installation begins, you will see the “Setup wizard” which will help you install Zemana on your personal computer.
Once install is finished, you will see window as displayed on the image below.
Now click the “Scan” button to begin scanning your personal computer for the Asasin virus and other security threats. Depending on your PC system, the scan may take anywhere from a few minutes to close to an hour. While the Zemana program is scanning, you can see number of objects it has identified as threat.
After the scan get finished, Zemana will show a list of all items found by the scan. Review the scan results and then click “Next” button.
The Zemana will delete Asasin ransomware related files, folders and registry keys and add threats to the Quarantine.
Run Malwarebytes to remove ransomware
Get rid of Asasin virus manually is difficult and often the virus is not completely removed. Therefore, we recommend you to use the Malwarebytes Free which are completely clean your computer. Moreover, the free program will help you to get rid of malicious software, PUPs, toolbars and adware that your machine can be infected too.
- Download MalwareBytes from the following link. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: September 28, 2017
- After the downloading process is finished, close all apps and windows on your computer. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once setup is done, click the “Scan Now” button to start scanning your system for the Asasin ransomware virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your PC. During the scan MalwareBytes Anti Malware will find out threats exist on your PC system.
- Once MalwareBytes Anti-Malware (MBAM) completes the scan, MalwareBytes will produce a list of unwanted and adware applications. Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Quarantine Selected”. When the procedure is done, you can be prompted to restart your system.
The following video offers a few simple steps on how to remove hijackers, ad supported software and other malware with MalwareBytes Free.
Scan and clean your PC system of virus with KVRT
If MalwareBytes anti malware or Zemana antimalware cannot remove the Asasin Locky ransomware, then we suggests to run the KVRT. KVRT is a free removal utility for viruss, ad-supported software, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
After the downloading process is complete, double-click on the KVRT icon. Once initialization procedure is finished, you will see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to search for Asasin virus and other known infections. While the KVRT program is scanning, you can see how many objects it has identified as threat.
After the scanning is done, a list of all items detected is prepared as shown in the following example.
Make sure all threats have ‘checkmark’ and click on Continue to begin a cleaning task.
How to restore .asasin files
In some cases, you can recover files encrypted by Asasin ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
To restore .asasin files, use the following free tools:
Restore .asasin files with ShadowExplorer
If automated backup (System Restore) is enabled, then you can use it to restore .asasin files to previous versions.
Download ShadowExplorer from the link below. Save it to your Desktop.
Category: Security tools
Update: February 12, 2016
After the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed on the image below.
In top left corner, select a Drive where encrypted files are stored and a latest restore point as shown on the screen below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as shown on the image below.
Run PhotoRec to recover .asasin files
Before a file is encrypted, the Asasin ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore applications like PhotoRec.
Download PhotoRec from the link below. Save it on your Microsoft Windows desktop or in any other place.
Category: Security tools
Update: March 23, 2016
When downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as shown on the screen below.
Select a drive to recover as shown below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as displayed below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored files should be written, then press Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown on the screen below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your system from becoming infected by Asasin virus?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your system from Asasin ransomware virus
Download CryptoPrevent from the link below. Save it on your Desktop.
Run it and follow the setup wizard. Once the installation is complete, you will be displayed a window where you can choose a level of protection, as displayed on the screen below.
Now click the Apply button to activate the protection.
How does your computer get infected with Asasin ransomware virus
The Asasin ransomware is distributed through the use of spam emails. Below is an email that is infected with a virus like Asasin ransomware virus.
Once this attachment has been opened, this virus will be started automatically as you do not even notice that. The Asasin ransomware virus will start the encryption procedure. When this process is finished, it’ll display the usual ransom note like above on asasin.htm and asasin.bmp.
After completing the guide shown above, your personal computer should be clean from Asasin ransomware virus and other malicious software. Your PC system will no longer encrypt your personal files. Unfortunately, if the instructions does not help you, then you have caught a new variant of virus, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- When the scan is finished, the scan button will read “Save log”, press it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Asasin ransomware.