In this report we will talk about a malicious program we came across recently; it is known as DeathNote Ransomware. The message displayed by it could say all of your files were enciphered and there is no way to decrypt them if you do not agree to pay a ransom. In reality, it seems the malware creates a single archive with all users’ files and puts a password on it. It means the data does not need any decryption. Instead, all the user has to do is type a specific password and the archive with all his files should open. Further, in the text, we will explain more about the malware and also mention a password that might help users unlock their data. What’s more, if after reading our text you decide to get rid of DeathNote Ransomware manually, you could follow our recommended deletion steps located at the end of this article. However, keep it in mind the process could be challenging, and it might be easier to install a trustworthy security tool.
It appears to be the malware could travel with various malicious files, e.g., suspicious email attachments, setup files, fake updates, harmful pop-up ads, and so on. One way or another the fact, DeathNote Ransomware is in the system should signal the user is a bit too careless while interacting with content from the Internet. In order to avoid similar threats in the future, it would be best to stay away from potentially harmful file-sharing web pages or other untrustworthy websites and ignore doubtful Spam emails. Sadly, in some situations, it takes only a few moments for the malicious program to ruin user’s files since the threat can work silently in the background and so the victim may not notice anything suspicious. Thus, if you have data, you do not wish to lose it is best to be careful. Another wise idea is to backup all necessary files so in case of an emergency you would not lose them.
Moreover, our specialists say, DeathNote Ransomware works a bit differently from ransomware applications that can encipher data. Apparently, it should not affect any files located in the C disk because doing so could result in the computer being unable to boot and consequently, the victim might not see the ransom note and pay the requested sum. Instead of targeting files in the C disk, the malicious program is after data available on other drives attached to the infected computer. For example, files located on F disk would be placed in an archive titled Death_N0te_encryted_files_of_local_disk_F. As we mentioned in the beginning, such archive should have a password, and the user could open it only after submitting it. The password our specialists found while testing DeathNote Ransomware was “pkantnibas722.” We cannot confirm if there is just one password or if it is generated for each computer individually, but we do not think you could lose anything by trying it.
Soon after the user’s files from the same disk are placed on a single archive, the malware should show a pop-up message claiming they were encrypted. Also, it is supposed to open another window with a ransom note. They say the user should go to a particular website where he could pay a ransom in exchange for a specific “unlock password.” Needless to say, it would be risky to deal with these people, and you might end up being scammed. Therefore, instead of taking any chances, we recommend erasing the malicious program.
If you do not want to put up with any demands and choose to remove DeathNote Ransomware, we could suggest two ways to eliminate it. Firstly, the user could try to erase it manually by completing the steps created by our specialists; they are located a bit below this paragraph. The second way is to download a reliable security tool, perform a full system scan with it and wait till it detects this malware and other possible threats. Then just click the removal button, and the tool should clean your system.
|#||File Name||File Size (Bytes)||File Hash|
|1||death.bat||2290 bytes||MD5: 6469f7a1273dff301582ec7b1cd91f31|
|2||cmdc.exe||13824 bytes||MD5: ef7d55a21922ba2f39e85c9d4c0f1272|
|3||wget.exe||401408 bytes||MD5: bd126a7b59d5d1f97ba89a3e71425731|
|4||WIFI-CONNECT.bat||322 bytes||MD5: ce4317af9dffd8582f0aebd88a0d72a5|
|5||deathnote.bat||6356 bytes||MD5: 3f2dff2ccbc64a3eb9d8d703c6d26005|
|6||Rar.exe||562064 bytes||MD5: dc0222f1e0868c3612a93ba2d83b99be|
|7||WIFI.lnk||2126 bytes||MD5: ceee1de0c8c818e5dfcc482a642595f5|
|8||mp3play.exe||27373 bytes||MD5: c2b2653daeaaa112cf8943b5d9a1a998|
|9||WINDEFEND.lnk||2134 bytes||MD5: 6cb2116a15c677f7b82fcfec4c8af36d|
|10||deathnote.lnk||2102 bytes||MD5: fb77bc6ea00cb9ffe988eef3196015c8|
|11||death.lnk||2108 bytes||MD5: 8d5bd396f90b124a606fffc683cc9d60|
|12||50dca038c2306d0d7cc9833216461f979be25421cb67c7b033c30e33ba4b432a.exe||6960762 bytes||MD5: 2b02d485faf03c7abaa2cac243000f60|
|13||note.vbs||203 bytes||MD5: 0fab8a60427ac657dc5a9513b92537ed|
|14||WARNING.vbs||140 bytes||MD5: 27020740d4833b221ca06db9250705ae|
|15||windows defender.bat||1392 bytes||MD5: d15eb8f7d509ed3b66e32b80e18e06dc|
|#||Process Name||Process Filename||Main module size|