Deniz_Kizi ransomware


Deniz_Kizi ransomware is malicious software that uses a double encryption algorithm to lock all personal files on host machine

Deniz_Kizi ransomware
Deniz_Kizi ransomware is a file locking computer virus that is developed by a Turkish hacker

Deniz_Kizi ransomware is a file locking virus that first emerged in the wild in late December 2019. The name of malware stems from the Turkish language (Deniz Kızı translates to “Mermaid”) – its developer is also Turkish, and is responsible for other ransomware strain releases, including KesLan, MaMo, and others. Nevertheless, the ransom note Please Read Me!!!.hta is written in English, so the malware targets users from around the world.

Upon infiltration, the Deniz_Kizi virus performs a variety of system changes to execute a data encryption process, which concludes with all personal files being appended with .Deniz Kızı file extension. For that, the malware uses a relatively unique encryption scheme: it uses a rare double algorithm TR1224 to encrypt files, as well as AES-256 to encrypt the key that is required to recover the access to pictures, videos, documents, and other locked files.

Name Deniz_Kizi ransomware
Other names Deniz Kızı ransomware, Mermaid ransomware
Type File locking virus, crypto-malware 
Distribution  The malware was spotted being distributed via malicious spam email attachments (e.g., Yeni Zengin Metin Belgesi.rtf), as well as software cracks (Zula Hack.exe, Konyali_Zula_Hack_V8_2020.exe, Konyali_Zula_Hack_V4_2019_protected.exe)
Encryption type  TR1224 + AES-256 
File extension  All personal files are appended with .Deniz Kızı extension and are no longer accessible
Ransom note  Please Read Me!!!.hta, Lütfen Beni Oku!!!.log
Contact Crooks leave email addresses as the main means for establishing contact: [email protected] or [email protected], or [email protected]
Ransom size $300 – $400, depending on the version of malware
Related files Starter.exe, svchost.exe
Modifies hosts file Adds the the following line in the hosts file: 127.0.0.1 validation.sls.microsoft.com 
File decryption Recovering data without paying a ransom or having backups ready is almost impossible, although you might try method listed in our recovery section below – there is a chance of third-party software working
Termination Download and install reputable anti-malware software and perform a full system scan in Safe Mode
System fix Delete the hosts file located in C:\Windows\System32\drivers\etc\. Additionally, if system crashes, error, BSODs or other problems persist, fix your Windows computer with Reimage Reimage Cleaner

Malicious actors offer to contact them via [email protected] or [email protected], or [email protected] emails and ask $400 work of Bitcoins for decryption software that would restore access to the locked data. Later variants of Deniz_Kizi ransomware dropped a ransom note Lütfen Beni Oku!!!.log which is written in Turkish.[1] As of now, no decryption software for this malware is available, although paying criminals is not advised.

While Deniz_Kizi ransomware is relatively new, there are two main methods that the attackers use to spread the infection (nevertheless, keep in mind that cybercriminals might employ other methods for propagation):

  • Spam email attachments that are disguised as useful documents – these ask uses to enable macro function to download the malicious payload
  • Software cracks and pirated software installers – these malicious files are usually downloaded from unsafe torrent or similar sites

The malicious installer Starter.exe bypasses the User Account Control feature that would warn users otherwise and immediately begins the infection process: several files dropped into %AppData% folder (svchost.exe), Task Manager and Windows startup disabled, Shadow Volume Copies deleted, startup repair disabled, Windows hosts file modified, services opened, etc.[2] (note that you should delete the hosts file located in C:\Windows\System32\drivers\etc\ after Deniz_Kizi ransomware removal).

Once the preparations are complete, the Deniz_Kizi ransomware virus begins the encryption process, which renders files of 195 different file extensions inaccessible. Nevertheless, just like in the case of other file locking malware, system, executable, and a few other file types are skipped. For data encryption, ransomware uses a relatively rare encryption method – a combination of TR1224 and AES-256.[3] This ensures secure encryption, reduced chances, or users recovering data without paying for Deniz_Kizi ransomware decryptor.

Deniz_Kizi ransomware virus
Deniz_Kizi is a ransomware virus that uses a combination of TR1224 and AES-256 encryption algorithm to lock personal files on the infected system

Newest variants of the Deniz_Kizi virus also change the desktop wallpaper of the host machine, which shows a brief message written in Turkish, which claims that users should check the ransom note Lütfen Beni Oku!!!.log to find out more about what happened to their files.

The English version of Deniz_Kizi ransom note states the following:

FILES ARE ENCRYPTED:

Hello! All your documents, photos, databases and other important files are ENCRYPTED! Do you really want to restore your files?
If you want to unlock your data, you need to buy special decoding software!
Write to our email – [email protected] If you do not receive a reply within 24 hours, write to our additional email address – [email protected]
We”ll send you a complete instruction on how to decrypt all your files.

=========================================================
* WHAT SHOULD I DO ??
=========================================================

First of all your files are NOT DAMAGED!
Your files have been modified and encrypted with the TR1224 double encryption algorithm.
This change is reversible. The only way to decrypt your files is to purchase the decipher tool that is special to you.
Any attempt to irreversibly corrupt your files, and attempting to restore them with third-party software will be fatal to your files.

=========================================================
* SO MY FILES WILL RETURN TO THE OLD STATE AND HOW SHOULD I PAY ???
=========================================================

To decode the password you have to buy our special decoding tool, we already said that.
and the deciphering tool costs $ 400, you will pay by bitcoin and you must contact us for payment.
Once the payment is made, we will send you the special decoding tool by email.
and it is enough to run the.

=========================================================
* FREE DECRYPT FILE!!!
=========================================================

Free decryption as warranty!
If you don”t believe in our service and want to see proof, you can ask us about the test for decryption.
You send us up to 2 encrypted files.
Use the file sharing service and Win-Rar to send files for testing. Files must be smaller than 1 MB (unarchived) and Files should not matter! Do not send us databases, backups or large excells. Files etc. We will decrypt and send back your decrypted files as proof!

=========================================================
* HOW TO BUY BITCOINS ???
=========================================================

Bitcoins have two simple ways:
Link1: hxxps://exmo.me/en/support#/1_3
Link2: hxxps://localbitcoins.net/guides/how-to-buy-bitcoins
Read the information in these links carefully, because you may need to buy even large quantities.

Note: Use translation for Turkish source.

=========================================================
!!! ATTENTION !!!

!!! If you do not pay within 2 days, you will not be able to recover your files forever.
!!! Do not rename encrypted files.
!!! Do not attempt to decrypt your data using third-party software, as this may cause permanent data loss.
!!! Unraveling your files with the help of third parties can lead to increased prices and don”t trust anyone even your dog.

=========================================================
* THE KEY REQUIRED FOR THE DECRYPT TOOL

Don”t change these 2 key decryption tool for this 2 key required !!!
and please note that these 2 keys are encrypted with the AES-256 encryption system.

Key1:

As evident, threat actors behind Deniz_Kizi ransomware offer free test decryption to prove that the recovery software provided by them actually works – this trick is often used by ransomware developers in order to establish a false sense of security. However, you can never trust hackers, as they might take away your money and never send you the Deniz_Kizi decryption software.

Malicious actors warn that if the payment of $300 or $400 in Bitcoin is not transferred within two days, recovering data will be impossible. As it is typical, it is in their best interests to claim that none of the recovery tools would work but theirs – it increases the chances of receiving a payment from victims. However, Deniz_Kizi developers do have a point, as in some cases, any type of encrypted file modification might permanently damage them.

As a remedy, you should make a copy of locked files, and then remove Deniz_Kizi ransomware from your computer by scanning it with powerful anti-malware. Finally, try to recover data by applying steps provided in the instructions below – while chances are not high, it might still be possible to recover at least some portion of your data.

Note: if you experience system crashes, BSODs,[4] errors, and other OS malfunctions even after you get rid of Deniz_Kizi ransomware, you should use a PC repair tool Reimage Reimage Cleaner – it can fix virus damage and revert malicious system changes.

Be careful when checking email and do not use software cracks

According to experts’ findings, the most common distribution techniques used by malicious actors include spam email attachments and executables that are used for cracking software, otherwise known as cracks/keygens/loaders. Here are the tactics that hackers use:

  • Malicious spam emails are one of the main attack vectors when it comes to malware distribution. While relatively primitive, it is still widely used to deliver payloads of ransomware, trojans, worms, data-stealers, rootkits, and other malware. In most cases, hackers employ botnets[5] to send phishing messages to email addresses that were leaked previously – these can be easily obtained from the Dark Web. The pushing email includes some type of bait that prompts users to open the attachment or click on hyperlink – the former usually asks for a macro function to be enabled, while the latter might initiate the automatic installation of malware.
  • Software cracks and pirated software installers also prove to be extremely successful (the most successful ransomware – Djvu – uses software cracks for propagation),[6], and infect millions of users who rely on such illegal installers. Placing a malicious executable disguised as a cracked program is relatively easy for cybercriminals, as there are thousands of websites that allow everyone to upload files like that to be downloaded by anyone. Typically, hackers rely on fake versions of Windows/MS Office cracking tools, video game cheats, and their installers, etc.

Deniz_Kizi ransomware distribution
Deniz_Kizi can be distributed via malicious spam email attachments, software cracks, or other methods

To avoid ransomware infection consequences, make sure you equip your computer with reliable ant-virus software, backup your personal files, update the OS and the installed programs regularly, utilize ad-blocker, enable the firewall, protect all accounts with secure passwords and never download pirated software installers/cracks.

Remove Deniz_Kizi ransomware from your machine

As previously stated, you should not remove Deniz_Kizi ransomware just yet, as you might permanently damage the encrypted files. Even if you do not have backups available, there is a chance that security experts will find a bug within the malware or gain access to its Command & Control server due to its seizure, which would allow them to create a working Deniz_Kizi decryptor. Note that No More Ransom Project is a great database of decryption software available for everyone for free – check it regularly in the future.

Therefore, copy all the important files that are encrypted, access Safe Mode with Networking and perform a full system scan with anti-malware software such as SpyHunter 5Combo Cleaner or Malwarebytes (new variants might be detected by all AVs, so make sure you update your security software to the latest version before performing a scan). After that, you should go to the following location and delete Windows hosts file:

C:\Windows\System32\drivers\etc\

Finally, you can proceed with the data recovery process. Unfortunately, there are few options without paying cybercriminals, as data recovery software does not always work – it does not decrypt the data, but rather recovers working copies of files from a local HDD. Thus, the more the PC is used after the infection, the less of a chance you have of recovery software to work. For more details, check the information below.

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-01-16 at 08:35 and is filed under Ransomware, Viruses.