If your computer has been infected by ransomware, getting back your files can be very difficult. This is because ransomware does not only encrypt your main files but your backup files as well. So, unless your backup is located on a different drive, computer, or the cloud, recovering them would mean paying the ransom demanded by the attacker and hoping that they give you the correct decryption key. Yes, paying the ransom money does not guarantee that the attacker would be true to his word and give you back your data. Most of the time, the attacker just stops communicating with the victim after getting their money.
The encS ransomware is one of the most popular variants of this malware today. The encS ransomware encrypts the files on the affected computer and payment instructions are sent to the user. When you users get their malware, it usually results in data loss because the attacker usually only cares about the money. Using ransomware is basically one of the fastest ways for cybercriminals to earn money.
Here is what the ransomware note looks like:
All of your files are encrypted, to decrypt them write us to email: JackieData@cock.li
85,140, 70, 244,57,2,95,127,127, 247,116, 217,214,131, 41, 28, 182,15, 33,33, 201,49, 75,121, 247,161, 79,95,149,16,18
4,48,155,148,183,9,239,185,82,88,196,56,244,95,23,111,180,116,116,172, 205,66, 239,86,163, 217,152, 246,7,182.
What is the encS Ransomware?
The encS ransomware is a file-encrypting malware infection that prevents access to data, such as documents, images, or videos, by encrypting the files with the .encS extension. The attacker then attempts to extort ransom money from the user, which is usually in the form of Bitcoin cryptocurrency, in return for access to the encrypted data.
This threat ensures the complete lockdown of your document and files, so that you have no other options left but to pay the ransom being demanded. The encS ransomware is the updated variant of the DeathHiddenTear ransomware, another notorious malware that appeared before the encS. When the files are encrypted, a different extension is added to the filename to make it inaccessible to the user. The extension could either be.encS or .encL, with the previous extension more popular than the latter.
The EncS ransomware is usually distributed using spam email with infected attachments or by exploiting known vulnerabilities in the computer’s operating system and installed applications.
What Does encS Ransomware Do?
Once the EncS ransomware gets into the system, it scans for images, videos, and other important documents and files, such as .doc, .docx, .xls, .pdf, .ppt, .pptx, and others. When these files are found, the encS ransomware then encrypts the files and changes the extension to .encS, preventing the user from opening, copying, or accessing the file.
After all the files have been encrypted, the ransomware will then create the ransom note, usually named Decrypt Instructions.txt, which contains the instructions on how the user can recover the files. The ransomware then proceeds to delete all of the Shadow Volume Copies to prevent the victims from recovering the files by using the shadow volume copies.
This appendix is placed after the original file name or after primary file-type extension. For example, when Word.docx gets encrypted, you will not be able to see the content or even the Word logo of this document. All you see is a blank file with the modified filename. Next, the file name is changed to Word.docx.encL or Word.docx.encS. Unfortunately, you cannot see a preview of the file, document, image, or video once the code has been changed. This makes it difficult to know which of the files are especially important. This ransomware is extremely difficult to deal with because it involves blackmailing and transferring money. Aside from permanently damaging your devices, you might also lose money after paying up because it is not sure if you’ll be able to get the correct decryption key.
The Decrypt Instructions.txt is the file that the malware saves in various places on the machine, so users can access the instructions and find ways to fix the affected files. This file also includes a brief message about the encryption, urging the victim to email the malware attackers to demand payment for the decryption. The email used for communication is usually JackieData@cock.li. In most cases, this is also the email address used for the payment transfer for the decryption key.
How to Remove EncS Ransomware
When your device has been infected by this malware, do not pay the ransom fee. Aside from the fact that you’re contributing to the illegal activities of these cybercriminals by giving them more funds, paying the ransom does not guarantee that you’ll get your files back all in one piece. There have been several cases when the victim pays for the ransom, only to find out that the files were corrupted after they were decrypted. There is a huge chance that the encryption and decryption processes have corrupted the files, so you won’t be able to recover them even if you have the decryption key.
Instead, you can follow the instructions below on how to remove the encS ransomware and restore access to your important files.
Step 1: Delete the EncS Ransomware.
The first step is to get rid of the main malware from your system using a robust anti-malware application. Free or trial apps won’t be able to handle this type of malware because of how it operates. Once you have deleted the malware, make sure to delete all relevant files using a PC cleaner.
Step 2: Uninstall the Malicious Apps.
If the malware was installed on your computer through bundling, you also need to uninstall the app that came with the malware to be safe. You can uninstall it under Control Panel > Programs and Features. Look for the malicious app from the list, then click Uninstall. Do this for all the apps that you suspect to be infected.
Step 3: Decrypt Your Files.
Once you have completely removed the malware from your computer, you can go ahead and decrypt your files. You can start by using common decryptors, such as the one from Kaspersky. Symantec, McAfee, Trend Micro, Symantec, Cisco Systems, and Emsisoft also have their own decryption software. If you don’t have any luck, you can try reaching out to Michael Gillespie, who was able to decrypt the earlier version of this ransomware.
Summary
The encS ransomware is a nasty piece of work because all your important files are being held hostage. You will not be able to recover your files using the shadow clones because all backups are also encrypted. If your computer gets infected by this malware, don’t think about paying for the ransom. What you need to do is disable the ransomware, get rid of it, and recover your files by following the steps above.