We first spotted a test version of EncrypTile in October 2016. Six months after its initial release, the ransomware now has a user interface and support for multiple languages (although the language translations are very poor). The ransom note is shown in the EncrypTile main window, as well as in the newly created desktop wallpaper.
The ransomware also adds the word “EncrypTile” into the file name:
invoice.pdf > invoice.pdfEncrypTile.pdf
file > fileEncrypTile
After the files are encrypted, the ransomware creates 4 new files on the user’s desktop. The names of these files are localized. Below is an example of the English version.
The ransomware also creates an auto-start entry, both for the current user and for all users of the computer:
EncrypTile has a list of whitelisted process names, and anything not on the list is auto-killed when detected. This prevents the user from running any security or diagnostic tools.
Contains: search, wallet, bitcoin, multibit, word, calc, microsoftedge
Has the name equal to the current (ransomware) process
An interesting effect of the above feature occurs with the Admin Approval mode. The ransomware kills the “consent.exe” process, the pop-up window that allows Windows users to approve or decline changes a program wants to make the computer. As a result, no administrator access can be granted and the user is stuck in the Admin Approval mode, unable to carry out any actions as the administrator.
To prevent detection, the ransomware executable is invisible while it is running.
How to run the decryption tool
While running, the ransomware actively prevents the user from using any tools that may potentially remove it. Because of this, it is necessary to follow the steps below to successfully remove and decrypt the infected files:
Download the decryptor tool and save it to your desktop. In case of an internet connection problem, you may need to download the file to another device and copy it to the infected PC manually.
Create a copy of the decryptor tool using the Ctrl+C and Ctrl+V keyboard shortcuts.
Rename the newly copied file to one of the following names: notepad, lsass, mspaint, osk. Once you have renamed the copied file, you can run the decryptor.
Follow the steps in the on-screen wizard. On the final page, uncheck the “Run the decryption process as administrator” (if present) and click “Decrypt”.
If the ransomware is active, the decryptor will neutralize it and ask you to restart your PC.
Finally, restart your PC. After you log in, the ransomware screen should not appear anymore, but your desktop wallpaper will still contain the ransom note. Run the decryptor normally with the default options to decrypt your data. After this, you can change your wallpaper to something nicer than the ransomware wallpaper :)
I would like to thank my colleague Ladislav Zezula for preparing this decryption tool.