ElvisPresley ransomware

ElvisPresley ransomware – a data locking virus that stems from a well-known malware family

ElvisPresley ransomware
ElvisPresley ransomware is a data locking malware that threatens to delete files in certain time intervals if ransom is not paid within 24 hours

ElvisPresley ransomware
ElvisPresley ransomware is a data locking malware that threatens to delete files in certain time intervals if ransom is not paid within 24 hours

ElvisPresley ransomware is a file locking virus that first started attacking users around the world in early June of 2020 and was first spotted by security researcher Jack. The malware belongs to a relatively old family, Jigsaw, and uses the celebrity name of Elvis as a theme. Just as many other viruses of this kind, it’s primary goal is to extort money from victims by locking all personal files on the device with the help of a sophisticated encryption algorithm.

Once inside the system, the ransomware looks for a particular file type (pictures, documents, PDF, videos, etc.) and appends them with .ElvisPresley extension, restricting user access, and removing the original icons. To make sure that users are aware of the infection, cybercriminals deliver an untitled pop-up window, which serves as a ransom note. In it, hackers are asking for $100 into the 1C1pAkwpvuxr4ZxzqHSeTLpFGQMDMJKS3U bitcoin wallet for the decryption tool. For communication purposes, ElvisPresley virus authors ask users to write an email at [email protected].

Name ElvisPresley ransomware
Type File locking virus, cryptomalware
Family Jigsaw
Related files Zembla.exe
File extension Most of the files are appended with .ElvisPresley extension and can no longer be opened. An example of an encrypted file: “document.doc.ElvisPresley”
Contact Crooks ask victims to email them at [email protected]
Ransom size $100 in Bitcoin, which doubles after 24 hours. Some files are deleted every hour if ransom is not paid
Bitcoin wallet 1C1pAkwpvuxr4ZxzqHSeTLpFGQMDMJKS3U

Some of the malware’s malicious executables can be detected under the following names on Virus Total:

  • Generic.MSIL.Ransomware.Jigsaw.433625C8
  • Ransom.Jigsaw
  • Heuristic.HEUR/AGEN.1126343
  • HEUR:Trojan.Win32.Generic
  • Ransom:MSIL/JigsawLocker.A
  • Win32:RansomX-gen [Ransom]
  • Gen:NN.ZemsilF.34122.cm0@aKWx2Fo, etc.
File recovery Data can be recovered with the help of Emsisoft’s decryption tool or by using alternative solutions provided in our recovery section below
Elimination Make sure that the infection is terminated promptly with the help of powerful security software such as SpyHunter 5Combo Cleaner or Malwarebytes. If required, access Safe Mode as explained in the instructions below
System fix Ransomware can not only affect personal files by might also negatively impact system-related data. As a result, even after the infection is terminated, it can cause serious damage or reduce computer performance. If you suffer from lag, errors, crashes, or similar issues, fix your Windows with Reimage Reimage Cleaner Intego

Jigsaw is one of the most notorious ransomware families that was first started its distribution in April 2016 and is widely known for its incorporation of the Billy the Puppet from the Saw movies. Since then, malware came back with multiple versions, such as HydraBadut Clowns, DeltaSEC, and many others.

ElvisPresley ransomware is yet another variant of the virus that uses a well-established AES encryption algorithm[1] to lock personal files on the system. However, it does not perform the data locking process immediately, as it first needs to prepare the system for that to be successful. Here are some changes that the malware performs:

  • Places a malicious executable such as Zembla.exe into %AppData% or %Temp% folder;
  • Deletes Shadow Volume Copies to prevent a quick data recovery;
  • Modifies Windows registry keys for persistence purposes;
  • Creates CryptSvc service with performs the file deletion in intervals;
  • Drops hundreds of malicious files on the system, etc.

Once the preparations are complete, ElvisPresley ransomware would begin the encryption procedure, which typically takes only seconds (although victims with exceptionally large HDDs/networks should expect longer encryption times, which can be stopped by shutting down the machine). Victims can later see that typical icons of files became blank and that none of them can be opened. Additionally, each of such files is appended with .ElvisPresley extension.

While ransomware usually leaves system files intact, some Jigsaw variants are known to encrypt Master Boot Record (MBR)[2] data, which complicates ElvisPresley ransomware removal. Nevertheless, accessing Safe Mode with Networking is likely to remove the difficulties with the process. Note: to remediate the Windows machine after a ransomware infection, we recommend using Reimage Reimage Cleaner Intego.

To ensure that users are aware of what happened, they are presented with a pop-up window without a title, which claims the following:

All Your Files Has Been Locked!
Your personal files are being deleted. Your photos, videos, documents, etc…
But all of your files were protected by a strong encryption.
This means that we can decrypt all your files after paying the ransom.

Every hour I select some of them to delete permanently,
You have 1day to Decide to Pay.
after 1 Day Decryption Price will be Double.
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.
If you turn off your computer or try to close me, when I start next time

you will get 5 files deleted as a punishment.
If you want to unlock your data
You Can Learn Decrypt Instructions
click on the button: HOW TO DECRYPT FILES ?

Contact us : [email protected]

1 file will be deleted.
Please send at least $100 worth of Bitcoin here:

As evident, the ElvisPresley file virus claims that consequences for not paying the ransom are disastrous: the ransom size would double within 24 hours (the pop-up window also includes a timer which is showing the time remaining), and files will be deleted exponentially.

ElvisPresley ransomware virus
ElvisPresley ransomware is a file locking virus that belongs to a well-established malware family Jigsaw

ElvisPresley ransomware virus
ElvisPresley ransomware is a file locking virus that belongs to a well-established malware family Jigsaw

This particular trait is very common in Jigsaw malware versions, as it creates pressure and anxiety among victims, especially since important files could be deleted during the process. However, paying cybercriminals is not recommended, as they might simply scam you and never provide the needed ElvisPresley ransomware decryption tool.

Instead, you should rely on alternative methods for data recovery – Emsisoft even released a decryption tool specifically designed for ElvisPresley ransomware. In case it does not work, you can also use third-party recovery software as per the instructions provided below.

While many ransomware threats would self-delete after encryption is performed, the ElvisPresley virus will remain on the system to be able to delete a predetermined number of files and encrypt all the incoming ones. Therefore, it is important to remove ElvisPresley ransomware from the computer as soon as possible. You should make a copy of the encrypted files if you had no backups available, however.

Watch out for spam email attachments and protect your computer in comprehensive ways to repel ransomware attacks

Jigsaw ransomware and its versions are known to be spread via contaminated spam email attachments. This technique is rather old but very effective, as email spam is used by countless criminal groups to deliver even the most devastating malware to victims, as noted by security researchers from dieviren.de.[3]

Email providers such as Google, Hotmail, and others, implemented various security scanners that could filter email spam. However, these precautionary measures are not perfect, as some legitimate emails end up in Spambox, while malicious emails still manage to break into users’ inboxes.

When dealing with fraud and phishing, the most important thing is to stay vigilant and keep in mind that such a threat exists in the first place. In other words, each of the received emails should be treated with suspicions, unless you are absolutely sure who it is coming from. This only applies to emails that include attachments or links, as you will not get infected with malware just by opening an email itself.

Even though hyperlinks can be used to direct users to malicious domains were malware is downloaded from, this attack vector is in decline, and email attachments are much more popular. To check whether the link is legitimate, put your mouse cursor over it and check the real destination on the bottom-left corner of the browser.

When it comes to attachments, you should never allow a macro to be run on the document, such as .doc or .xlsm, as this would trigger a chain of events that would install malware on the system automatically. Remember: if you are not sure if the email is legitimate, delete it and do not interact with any components inside.

You should also ensure that your computer is adequately protected, as ransomware could access your machine in other ways. Thus, install a powerful anti-malware program to protect your from the incoming threats, patch your system, and the installed apps with security updates regularly to avoid software vulnerability[4] exploitation, use strong passwords for all your accounts and never download software cracks/pirated programs on your PC.

Delete ElvisPresley ransomware safely

ElvisPresley ransomware removal might prove difficult due to its advanced traits, such as MBR encryption. Therefore, an attempt should be made to access Safe Mode with Networking, as explained below, and a full system scan should be performed from there. Additionally, malware might also attempt to disable or corrupt the installed security application if it programmed to do so.

ElvisPresley ransomware encrypted files
ElvisPresley ransomware encrypted files can no longer be accessed, although it is possible to recover them with the help of Emsisoft decryption tool

ElvisPresley ransomware encrypted files
ElvisPresley ransomware encrypted files can no longer be accessed, although it is possible to recover them with the help of Emsisoft decryption tool

If you do not remove ElvisPresley ransomware, it will keep encrypting all the incoming files, and will also delete more and more files as the time goes on. Nonetheless, you should also prepare a backup of encrypted data as a precautionary measure.

Once you are sure that the ElvisPresley virus is eliminated completely, you can begin the data recovery process. You will find all the detailed instructions below. The good news is that decryption tools provided by security researchers almost always recover victims’ files without any issues.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-06-03 at 04:16 and is filed under Ransomware, Viruses.