Asd ransomware

Asd ransomware is a computer infection that blocks access of all personal files on the infected computers and demands a ransom in Bitcoins

Asd ransomware is a file locking malware that stems from Dharma/Crysis family

Asd ransomware is malware that focuses on money extortion by encrypting all personal files on the targeted Windows systems. Suchlike modified files can no longer be accessed, and are marked with .asd file extension, among other changes that are performed to data. To retrieve access to files, victims require an AES and RSA-generated key that is only accessible to cybercriminals. As evident, hackers ask for Bitcoins for the Asd ransomware decryptor, although the precise sum is not provided.

To explain the situation more clearly to victims, Asd ransomware developers provide a ransom note which is dropped in two formats – FILES ENCRYPTED.txt, as well as a .hta file. These notes also contain contact details of cybercriminals – [email protected] and [email protected] – which can be used for Asd ransomware decryptor price negotiation.

The Asd virus derived from one of the most prominent families – Dharma/Crysis and was first spotted by researcher Jakub Kroustek in the first half of December 2019. Victims who previously paid ransom for the decryption tool said that malware authors often ask for extra money after payment, so trusting them is not recommended. Before using alternative file recovery solutions, users should backup the encrypted files and remove Asd ransomware from their computers.

Asd ransomware operation and file encryption specifics

It is important to note that Asd ransomware also makes several changes to the host machine after the intrusion, which usually happens after users open a malicious spam email attachment, do not protect their RDP connections, or downloading software crack like KMSpico or a fake installer. Nevertheless, hackers might use other attack vectors for propagation to increase the infection rate.

As ransomware performs the following changes to the system:

• Deletes all Shadow Volume Copies with the help of “vssadmin delete shadows /all /quiet” command;
• Modifies Windows registry to enable boot every time Windows is launched;
• Contacts a C2 server and delivers computer’s name and some other information;
• In some cases, uninstalls security software to complicate Asd ransomware removal.

Once all the preparations are complete, the malware starts its encryption routine by using a combination of AES and RSA ciphers, which makes it even more difficult to break (in fact, the algorithm used in the newest versions is so strong that many security experts say that decrypting them is impossible,^[1] as it would require thousands of years of mathematical calculations performed by the most advanced computers). Only system and malware files are skipped by Asd ransomware – everything else gets encrypted and becomes inaccessible.

The message in the shorter version of the Asd virus ransom note states:

all your data has been locked us
You want to return?
write email [email protected] or [email protected]

Far more details are included in the other ransom note – it indicates that users might send one file for test decryption to ensure that Asd ransomware decryptor works. However, experts^[2] advise not to trust cybercriminals, as they might send a fake tool, or might ask for more money.

Asd ransomware is a type of virus that uses various deceptive infiltration methods and then holds all the files hostage until ransom in Bitcoin is paid

The ransom size is never provided by any Dharma versions, as the amount highly depends on various factors, such as if the infected computer comes from an organization or is a regular user, as well as how soon victims contact attackers. In the known cases, companies were asked for around 1 BTC, while regular users might be asked for a much smaller sum.

If you happened to be a victim of Asd ransomware, you should make a copy of all the encrypted files and then terminate the infection. Alternative methods for file recovery are listed in the recovery section below, although you should be aware that chances for successful decryption are low. In case you have problems post-termination and Windows are crashing or returning errors, you should perform a scan with Reimage Reimage Cleaner – it will remove virus damage, and you will not have to reinstall the OS.

Perform necessary protection steps to avoid ransomware attacks

Dharma/Crysis ransomware is so prevalent due to the distribution methods that the attackers use. While some malware families like Djvu stick to pirated software installers, others employ a variety of attack vectors to ensure a large number of infections, consequently increasing the chances of victims paying the ransom. Unfortunately, it also increases hackers’ will to make new viruses, as it is simply profitable – this is why ransomware has been on the rise in 2018 and 2019.^[3]

Therefore, the best way to stop cybercriminals is not to get infected with ransomware in the first place. Here are the most used distribution methods of Dharma developers:

• Spam email attachments and hyperlinks. In some cases, hackers use double file extensions to make it look like the attached file is not executable. Additionally, it was also observed that malicious actors insert hyperlinks that lead to self-extracting and password-protected file, which also includes the installer of a well-known anti-virus vendor, diminishing the suspicions for recipients. To mitigate the attack, treat each email with suspicion and never open attachments or click on links unless you are sure that the email came from a legitimate source.
• RDP connections. Malware developers often abuse Remote Desktops that use a default TCP port 3389 and apply leaked credentials to access the machine remotely.^[4] After the intrusion, they install malware manually, sometimes uninstalling anti-malware solutions in the process. To stop RDP-based attacks, you should use a different RCP port and use a strong password.
• Fake installers. Malicious actors also use fake copies of anti-virus or other trusted software in order to trick users into opening the executable. These files are usually distributed via various third-party software hosting sites as well as shared networks. To avoid fake versions of programs, you should only rely on executables coming from official websites.

As the primary countermeasure to ransomware, you should backup all their important files on a regular basis.

Unfortunately, there is not decryption tool for Asd ransomware available, and the only way to recover data safely is by using backups

Before removing Asd ransomware, backup the encrypted files

While Asd ransomware removal is one of the first step that is required towards the recovery after the infection, you should also take into consideration your locked files. Unlike other malware, ransomware does not decrypt data after it is removed. In fact, deleting malware might sometimes damage files beyond repair and will render them permanently damaged. To avoid that, you should backup all the locked data before you uninstall Asd ransomware.

To remove Asd ransomware, you need to perform a full system scan with anti-malware software – you can try using SpyHunter 5Combo Cleaner or Malwarebytes, although any other reputable malware removal tool should suffice. If you are having troubles and the virus stops your security tool from working, access Safe Mode with Networking as explained below.

After you get rid of Asd virus, you can then attempt file recovery. Unfortunately, there is no working decryption tool created for this version of Dharma, so the only way to retrieve data is by using third-party recovery software or Windows Previous Versions feature. Note that chances of retrieving files using these methods are low, although it is not impossible. The less you use your computer post ransomware infection, the bigger the chances you can restore at least some of your data with recovery tools.

Remove Asd using Safe Mode with Networking

In case malware is tampering with your security software, access Safe Mode with Networking:

• Windows 7 / Vista / XP
  1. Click Start → Shutdown → Restart → OK.
  2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list

  Windows 10 / Windows 8

  1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
  3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.

• Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Asd removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Asd using System Restore

System Restore can be used to delete malware:

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Asd from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Asd, you can use several methods to restore them:

Data Recovery Pro method might be efficient in some cases

Data Recovery Pro might be able to extract working copies of Asd ransomware encrypted files from your hard drive.

• Download Data Recovery Pro;
• Follow the steps of Data Recovery Setup and install the program on your computer;
• Launch it and scan your computer for files encrypted by Asd ransomware;
• Restore them.

Try out Windows Previous Versions Feature

This method will only work if you had System Restore enabled before the virus attack.

• Find an encrypted file you need to restore and right-click on it;
• Select “Properties” and go to “Previous versions” tab;
• Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might be the best solution

ShadowExplorer should help if Shadow Volume Copies were not deleted for some reason.

• Download Shadow Explorer (http://shadowexplorer.com/);
• Follow a Shadow Explorer Setup Wizard and install this application on your computer;
• Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
• Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Do decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Asd and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes