ASN1 Ransomware Removal And File Recovery Guide

ASN1 is a ransomware which has been circulating for a long time already and recently got an update. It encrypts your files using an asymmetric cryptography algorithm and asks for a payment in BitCoin in order to make them working again. The virus places “!!!!!readme!!!!!.htm” ransom notes and asks to copy a “Personal page” payment link and open it using a TOR or regular browser.

This virus is different from other ransomware since it uses Cryptographic Message Syntax to encrypt the targeted files. It also does not change your file extensions so you might not notice the problem until you try to open them. The ransomware does not have a dedicated name and the “ASN1” comes from the encryption method rather than the name given by the creators.

The coding side of this ransomware is also not as strong as its more popular competitors. However, it still manages to make the files unopenable and there is still no decrypter developed by virus researchers that could deal with it. Despite this, we strongly discourage you from paying the ransom as there have been cases recorded when victims are ignored and do not receive decryption software even after paying the ransom.

We have an automatic removal and protection tool that should eliminate the virus and act as an antivirus in the future. We also have a guide helping to recover files encrypted by ASN1. Finally, we have prepared a manual removal guide for more experienced user but you need to have in mind that you will still need to protect your computer in the future.


Recommended Method: Download ASN1 Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is ASN1 ransomware?

As mentioned before, this ransomware does not have a real name and “ASN1” is only given to it by security researchers. However, it can be distinguished from other similar viruses since it displays a warning with buttons to copy its payment website links.

The virus uses a less conventional method to encrypt files and lacks sophistication in its code. This can give hopes that a decrypter might appear in the future, however, currently there is no direct and easy way to recover files.

The virus spreads using well known methods including spam emails and suspicious software installs. It has recently been discovered that this ransomware also uses Rig exploit kit which enables it to inject your computer through Flash, Java software and similar programs. Therefore, you might become a victim even if you do not open suspicious emails or links.

ASN1 infiltrates your Windows and places its core files across the system. It then starts to encrypt your files. Once the virus finishes this process the files become unopenable (although their names and extensions remain unchanged) and a ransom note called “!!!!!readme!!!!!.htm” is dropped in folders with affected files. A warning window stating that “ALL YOUR FILES WERE ENCRYPTED” or “Your computer is under attack” pops up as well and instructs you to copy the payment website link and visit it using TOR or regular browser.

There are several variations of the ransom note:

ALL YOUR FILES WERE ENCRYPTED!
1. Download and install TOR browser (recommended) or use your standard browser.
2. Follow the link that was generated for you.
3. On the next page you will see a Bitcoin wallet to pay, after you pay, you will get the key for decrypting your files.
4. Highlight (CTRL + A) and copy (CTRL + C) the key in clipboard, decoding will start.
5. Please, do not open files during decryption - opened files can not be decrypted.

Another one which comes with an updated version:

Your computer is under attack. Each file has been encrypted. 
In order to restore them, please read the following instruction.
What do you need to know?
a. You can not restore the files by yourself without our assistance. 
1024 bit encryption key has been used. All files encrypted with TripleDES algorithm.
b. We guarantee complete recovery. To prove it, you can choose any file in your computer and we can easily decrypt it.
c. An interference into the process will lead to the data loss. 
We highly recommend you not to open the important files and we can not be held responsible for them.
What are you supposed to do in order to decrypt the system?
1. Download and install the TOR browser. The link can be obtained by clicking on the button "COPY LINK(Download TOR browser)".
t will take about 5 minutes to install it as any other browser.
2. Open the personal page in the TOR browser.
ou can get the link by clicking on the button "COPY LINK(Personal Link)".
3. On the personal page you can see an unique BitCoin wallet and the amount you are supposed to deposit.
itCoin is popular e-currency. There are more than 100 different ways you can buy BitCoin .
4. Deposit the required amount to BitCoin wallet.
nce payment is received and confirmed, your private key will appear on the page.
5. Copy paste the private key. Decoding process will start automatically.
elect the private key and then press "CTRL + C".
6. On the personal page you can ask for help in customer service.
ATTENTION!
or decryption our application must be running. If you do not see this text, so antivirus removed the application. 
Download and install it again on the personal page.
make sure to save the link for your personal page.
PERSONAL PAGE

Both notes encourage you to visit a “Personal page” which further instructs on how and where to pay the ransom in BitCoins and has a link to a decryption software often called “Download cryptolocker”. The payment website also shows remaining time before the ransom amount increases. You can also “chat with support” by clicking a link at the bottom of this page:

Your files were encrypted!
1(0) BTC -> [Bitcoin wallet address]
For getting decryption key, you must pay amount, written above, to the bitcoin address, written above. Amount in brackets indicates already paid amount. For buy bitcoin online, google it now. This page will refresh every 120 seconds. If you already paid, please, wait for page refreshing.
If software was deleted, download it now . Absence of payment during next five days will double the amount.
Chat with support now

Updated website version again has a different and slightly longer text:

Personal page
Remaining time is: (after the time is expired, the required amount will be increased in 2 times)
The bitcoins left to be paid: 0.5 BTC
The wallet for the payment: [Bitcoin wallet address]
ANY ATTEMPT TO REMOVE OR DAMAGE THIS CRYPTOLOCKER will lead to the loss of the private key and to the loss of your files.
To make sure that the files can be decrypted, you can decrypt any of the encrypted files for free.
To decrypt the file, follow the link Chat with support.
In the opened window click the Browse button, select the file to decrypt and click Send.
When you upload the page again, you will receive the link for downloading the decrypted file.
Download cryptolocker
Chat with support

Even though the criminals promise to provide you with the decryption key there is no guarantee that they will not ignore you after a payment. Some users have already posted about unsuccessful attempts to decrypt their files after a payment. Others have noticed that while the support in chat can sometimes decrypt a demonstration file to convince you to pay, they often do not respond to other questions.

We strongly discourage you from paying any money to the creators of this ransomware. By financing the criminals you might be seen by them as a paying victim and could be targeted again in the future. Also, the decryption tools might have backdoors or the ransomware might still leave malicious files after decryption. Therefore, you should properly clean up your system, eliminate ASN1 and try to recover files using the methods listed at the end of this article.

We have an automatic tool which will remove the ransomware and secure your computer to protect it from any further infections. We have also prepared a manual guide for more experienced users. However, you will still need to secure your computer after the removal process.

Screenshots of the ransomware:

    


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also open it on another device or simply print it out.

Make sure you understand the risks or editing important Windows files and settings. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system, since ASN1 is a complicated and dangerous virus.

Do not skip any steps as otherwise the threat might come back again.

Step 1:

Restart your computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the ASN1 virus and terminate them. They are usually randomly named .exe files (e.g. 6205c025.exe).

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

Now you will have to check each process manually.

We recommend not skipping any of the processes as viruses sometimes hide in various processes that look like essential Windows components.

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all processes.

You might not find any malicious process since the virus usually only leaves HTML ransom notes and does not launch a warning executable afterwards.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Step 4:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Clean up Windows temporary files as there are usually several ASN1 ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 6:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

The virus tends to copy its files to this directory so you might find randomly named .exe, .dll, .bat or other recently placed files.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 7:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Use the folder tree on the left to navigate to the following directory:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If you find any registry entries that could be associated with ASN1 (usually randomly named), delete them by right-clicking on it and choosing Delete.

Step 8:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) or Windows Explorer in order to find the following files and delete them. Some of the files might not exist since the virus has several variations.

%APPDATA%\{randomname}.exe

(Where {randomname} is the random name from the registry entry found in step 7).

segui.exe
Exploit.swf
o32.tmp
!!!!!readme!!!!!.htm

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for ASN1 ransomware file decrypter here: List of currently available decrypters. Currently we have no information that such decrypter is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a ASN1 decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the ASN1 ransomware you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *