The coronavirus pandemic has forced a lot of employers to allow their staff to work from home, with security experts estimating a 70% increase in remote work between February 4 and April 7, 2020. As a result, attackers have a bigger and easier target base. In recent months, malware attacks have increased exponentially, including ransomware attacks which spiked to 148% last March. Attackers were piggybacking on the public’s fear of the coronavirus, making them more vulnerable to emotional-based distribution methods.
One of the ransomware attacks that grew in popularity recently is the Tabe ransomware. Tabe ransomware is malicious software that belongs to a popular ransomware family, called Djvu/STOP ransomware. This particular ransomware is considered the 234th version of this group of malware, making it 234 times more dangerous than the original version.
Threats like Tabe ransomware directly attack the victim’s device, locking all the important files, and demanding payment from the owner for the decryption key. To avoid the hassle, most victims just pay up to get their files back. Unfortunately, not all of them are able to get their data back even after paying the ransom.
So what do you do when you encounter the Tabe ransomware? This guide should give a close look into what the Tabe ransomware is, how it got into your system, and what you can do to restore your files without paying the ransom.
What is the Tabe Ransomware?
Tabe ransomware is more than just ransomware. Aside from locking your files, this malware further damages your machine to prevent you from getting rid of it completely. This intrusive file-locker does more than encrypting your files and asking money from the owner. This particular ransomware also damages certain system files and functions to drive users to be more eager in paying the demanded ransom.
Tabe ransomware belongs to the Djvu/STOP ransomware family, making it more insidious than other threats because the hackers behind this group of ransomware are known for their malicious campaigns since 2016. They can modify any part of the code and launch a new ransomware version after version, which is why malware researchers are not able to break their functionality since they appeared.
Tabe ransomware virus is currently the 234th version of the Djvu ransomware. The previous versions were decryptable because they used offline keys that allowed malware researchers to come up with a decryption tool. The old versions encrypted data using a hard-coded offline key whenever the infected computer is not connected to the internet or the server was on a time out or not responding. Because of this, some victims were able to decrypt the locked data using a decryption tool developed by cybersecurity expert, Michael Gillespie.
However, for almost a year now, the versions released by this ransomware family now rely on online IDs and can no longer be decrypted by the old tools. The versions released since August 2019 are no longer using offline keys so malware researchers have no other options but to inform users about new variants that come out almost weekly.
The Tabe ransomware is one of the newest versions, but all the other features remain the same as the previous versions. It still uses the same helpmanager@mail.ch email in the _readme.txt ransom note where the victim can communicate with the attacker. The ransom amount is also the same, which is $490 or $980, depending on the length of time it takes you to pay the ransom. The text file details all the necessary information about the encryption process and what the victim needs to after getting the ransom note.
How is Tabe Ransomware Distributed?
Ransomware and other types of malware are usually distributed via spam emails, malvertising, adware and redirects, Trojans, illegal activation tools, or cracks downloaded from illegitimate sources, fake updaters, and untrustworthy download channels.
Spam campaigns are generally large-scale operations that send out thousands of deceptive/scam emails. The emails are usually presented as legitimate, important, or urgent email designed to trick users into opening it. During the coronavirus pandemic, a lot of spam emails are sent out to scam people. Some emails are asking people to donate to a charity helping out people during the pandemic or to an organization working on a cure for the virus. Other emails are designed to get the user to click on the link or download the attachment that contains malware. Once you click on the link or download the email content, the action will also trigger the download and installation of the hidden malware on your computer.
Another method of distribution used by the Tabe ransomware is app bundling. When you download cracked tools or freeware from dubious sources, you might be installing malware along with that program or software, especially if you’re not reading the entire installation process.
You should also watch out for notifications that prompt you to update any type of software on computers, such as Java, your antivirus, Adobe, or other programs. These fake updaters will install malware on your computer instead of actual updates. Other distribution methods include P2P downloads, file-hosting websites, malvertising, and redirects.
What Can Tabe Ransomware Do?
Once the Tabe ransomware has infiltrated your computer, the first thing it does is go through your files and encrypt the important data, including documents, images, videos, and archives. Once the encryption is complete, you will see that all files will have .tabe added at the end of the filename. So if you have an image with the abc.jpg filename, it will be renamed to abc.jpg.tabe after the encryption.
Because Tabe ransomware uses a powerful encryption algorithm, decrypting them without the decryption key is almost impossible. You can’t open your files or recover them using regular tools.
After going through your files and locking them, the ransomware drops the ransomware note on your desktop where you can easily see it when you open your computer. The ransom not usually reads:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-sBwlEg46JX
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
helpmanager@mail.ch
Reserve e-mail address to contact us:
restoremanager@firemail.cc
Your personal ID
Your first instinct is, of course, to pay the ransom, especially if the data encrypted contains your work files. However, security experts advise against paying the ransom because of two reasons: you’ll only be contributing to the growth of criminal activities and there is no guarantee that the hackers will release the decryption key to you. Since the attackers have gotten what they want, it is possible that they would no longer case whether you get your files back as long as they have the money.
Tabe Ransomware Removal Instructions
If your computer is infected by the Tabe ransomware, do not pay the ransom fee. Instead, you should remove the ransomware from your computer as soon as possible and try to restore your files.
Follow these steps on how to remove Tabe ransomware from your device:
Step 1: Quit All Tabe Ransomware Processes.
The first step in deleting Tabe ransomware from your computer is by killing all the processes associated with it. You won’t be able to make all the changes when these processes are running. To close these processes, go to Task Manager, right-click on the suspicious processes, then click the End Process button. Do these for all the Tabe ransomware processes, then proceed to the next step.
Step 2: Uninstall Tabe Ransomware.
If the Tabe ransomware came with a program or PUP, you need to uninstall it from your computer by going to Settings > Apps & features. Click on the suspicious program, then click the Uninstall button. To make sure you get rid of all the infected files, you can run a scan using your antivirus software.
Step 3: Restore Your Files Using Decryption Tools.
Your first option when trying to decrypt your files is to use online decryptors. If your computer has been infected by an older Djvu ransomware, then you can use Emsisoft’s decryption tools.
Here are other tools you might want to try.
Step 4: Use System Restore.
This method requires using a previously set system restore point to revert changes done to your system by the Tabe ransomware. You don’t have to worry because you won’t lose your files in the process.
To do this:
- Boot into Safe Mode with Command Prompt by clicking Start > Power, then hold the Shift key while you click Restart.
- In the Windows Troubleshoot screen, select Troubleshoot > Advanced Options > Startup Settings > Restart.
- In the Startup Settings, press F6 to enter Safe Mode with Command Prompt.
- When the Command Prompt appears, type in cd restore, then press Enter.
- Next, type in rstrui.exe and press Enter.
- Or you can simply type this command, then press Enter: %systemroot%system32restorerstrui.exe.
- When the System Restore window opens, click Next and then choose the restore point you want to use.
- Click Yes to start the restoration process.
Summary
The Tabe ransomware can be more troublesome than the previous versions of Djvu ransomware because there is no existing decryptor yet. What you can do is remove the ransomware from your device and try to restore your files manually using System Restore or try your luck with other decryptors. But whatever you do, do not pay the ransom.