For now, Ender Ransomware looks more like a test version rather than a fully developed malicious application, although we do not know if it will or will not get updated in the future. Our researchers checked a couple of its samples; they say the malware is written poorly and does not work correctly on some Windows operating systems. Also, while testing the infection, it was discovered it could not encipher files located on the targeted device. Thus, if you receive Ender Ransomware, there is a chance it will not damage your data, but it could lock your screen. Users who need help with unlocking their screen should slide below the text and follow the provided instructions. Keep it in mind it is important to erase the malware too, even if it does not do much harm since it may block the screen again after a restart. For more information about the infection, continue reading our article.
Besides the things we mentioned at the beginning of the text, what shows Ender Ransomware might still be in the development stage is its provided messages. Most likely, one of the earliest versions of it showed a warning message saying “i am encrypted your PC Access, but i don't stealed your PC! But if you leave it alone... your PC will be encrypted forever!” This text was available for the user to see as it was presented on the malware’s window that was placed on top of the locked screen. The rest of the text suggests you need to get a decryption key for unblocking the screen, but there is no explanation on how to get it. Our researchers managed to find this key in the malicious application’s source code, but it appears to be there were more keys and they needed to be submitted through several pop-up windows that appeared one after another. Eventually the screen was supposed to be unlocked, but in the end, it did not, which again shows the threat might not be entirely developed yet.
The later version of Ender Ransomware locked the screen and showed a warning message saying the PC was locked and that the user needs a valid encryption key to access the computer. However, this time the note explained how such a code could be obtained. Firstly it suggested emailing the malware’s creators and asking for further instructions. The only problem is the cyber criminals did not provide any email address. Then they suggested another option: “if you don't have mail, pay 1 BTC to this BTC adress, and i give you file with codes:w675CQMxg8vXjntc0kEpNRA45xyHv.” One Bitcoin is a huge amount of money (around 5.361 US Dollars at the moment of writing), and there is a question of how the cyber criminals would deliver the needed codes? Therefore, if you encounter one of our described Ender Ransomware versions we advise you not to risk your savings when you can unlock your screen free of charge.
To unlock the screen, the user should launch his Task Manager and locate the malicious application’s process. The name of the process could be the same of a file that was opened before the system got infected as such a file was most likely the malware’s launcher. Then we recommend restoring the Windows Shell with the help of Windows Registry. Lastly, the user should find Ender Ransomware’s launcher and erase it permanently. All of these steps will be explained in the instructions located below, so feel free to use them for guidance if you require assistance. After the threat is gone, we recommend scanning the system with a reliable antimalware tool too; just to see if the malicious application is gone and check if there are any other possible threats.
# | File Name | File Size (Bytes) | File Hash |
---|---|---|---|
1 | 2816c17f976b0a5eff83907cf3d13b688e7882e0762b62cb3e8433d4daa7958e.exe | 21448 bytes | MD5: fd04507e1ae57bab78d7bcb94309922b |
# | Process Name | Process Filename | Main module size |
---|---|---|---|
1 | 2816c17f976b0a5eff83907cf3d13b688e7882e0762b62cb3e8433d4daa7958e.exe | 2816c17f976b0a5eff83907cf3d13b688e7882e0762b62cb3e8433d4daa7958e.exe | 21448 bytes |