There has been an increase in ransomware attacks in the first half of 2020. As people continue to work from home because of the CoViD-19 pandemic, cybercriminals are using the increasing technology innovations to their advantage and using more destructive capabilities. One of the new lethal, computer access capabilities is the Ambrosia Ransomware.
What is the Ambrosia Ransomware?
Cybersecurity experts have identified the Ambrosia malware as a ransomware entity. Cybersecurity researchers, Xiaopao, first spotted the Ambrosia ransomware in August 2020. They identified Ambrosia as belonging to the Scarab ransomware family. The Scarab family first appeared in 2017 and has now relaunched several ransomware versions in 2020, including Ambrosia.
What Does the Ambrosia Ransomware Do?
The Ambrosia ransomware mainly targets essential files in a user’s PC system, encrypts files, alters their filenames, and leaves a note demanding ransom. The ransom note first informs the victim of their encrypted files and asks them to pay a ransom amount so that they can gain access to their files.
The files that the Ambrosia ransomware targets include:
- Pictures/photos (.jpg)
- Songs (music)
- Important documents, such as .doc, .pdf, .Xls, .mpg or zip
Note: It targets these commonly used files to maximize user damage.
The Ambrosia ransomware encrypts the files and modifies their filenames by adding a .ambrosia file extension to ensure that victims cannot open the file. While other ransomware only appends an extension to the encrypted files, Ambrosia replaces the whole name with a random string and then appends .ambrosia extension.
For instance, after modification, it will rename a file such as “1.jpg” to “2g000000000p0zw9VkBVWnK5dMRu2hk8.ambrosia”. This blocks users from recognizing their data.
After encryption, Ambrosia drops a ransom note on a HOW TO RECOVER ENCRYPTED FILES.txt. The note asks victims to contact the attacks through email – [email protected] or [email protected] Additionally, the note asks victims to pay a ransom, in Bitcoin, to recover encrypted files.
We discourage contacting the attackers or paying the ransom. You’re not sure if the decryption tool will work or if the attackers will plant more malware on your PC.
How Did the Ambrosia Ransomware Get into My Computer?
Cybercriminals have created many ways of getting malware entities they have created into PC systems. They have also found multiple distribution tactics to make malware infections spread to as many victims as possible. Researchers have identified that the Ambrosia ransomware spreads in different ways, such as:
- Malicious spam email attachments and embedded hyperlinks
- Bundled installation with shareware and freeware
- Pirated (free) software and software installers
- Spam email with malicious attachments and embedded hyperlinks
- Unprotected Remote Desktop (RDP) connections
- Exploit kits and software vulnerabilities
- Fake virus infection notifications or Flash Player updates
How to Remove the Ambrosia Ransomware
You need to remove the Ambrosia ransomware as soon as you spot it on your PC or system. If left on the system, Ambrosia can:
- Install other malware variants
- Install other data-stealing programs on your browsers
- Encrypt other new files or recovered files
Here are the Ambrosia ransomware removal instructions:
Solution #1: Scan your system using a professional anti-malware tool
The Ambrosia ransomware uses strong data encryption algorithms that are beyond the function of ordinary antivirus software.
Use a professional anti-malware to conduct a full system scan on your PC. Make sure that the anti-malware has anti-ransomware capabilities so that it can remove the Ambrosia ransomware.
Since the Ambrosia ransomware uses strong data encryption algorithms, an anti-malware is not a sure solution. If you’re lucky, the anti-malware will identify and remove the Ambrosia ransomware and other malware residing on the PC.
Solution #2: Remove the Ambrosia ransomware using Safe Mode with Networking
To boot your PC in Safe Mode with networking (ensure you have a strong network connection):
- Press your Power button at the Windows login screen.
- Press and hold Shift button > and click Restart.
- Select Troubleshoot > the Advanced options > the Startup Settings.
- Press Restart.
- On the Startup setting Window, select Enable Safe Mode with Networking (fifth item on the list).
Once in Safe Mode, you can locate and remove the Ambrosia ransomware on your installed apps.
Solution #3: Delete Ambrosia Ransomware using “System Restore”
It is recommended to use System restore together with Safe Mode with Networking
- On your Windows start Up, continuously press F8 until you see the ‘Advanced Option’ menu
- From the list choose ‘Safe Mode with Command Prompt’ then press Enter
- On the Command Prompt window, type cd restore > and press Enter.
- Again, type rstrui.exe > and press Enter.
- On the new window, click Next and select your Windows Restore point before the Ambrosia infiltration, then click Next.
- After the process, click Yes, to restore.
Once you complete the PC restoration to its previous functioning, download a professional anti-malware tool and conduct a full system scan to remove any Ambrosia Ransomware files left in your PC.
Solution #4: Use quality third-party tools to restore (recover) files
Use quality, third-party data recovery tools to restore and recover the .ambrosia encrypted data. Depending on the third-party tool you choose, you will conduct a full system scan and instruct the tool to recover all the encrypted files.
The data recovery tool will recover your data, clean them and return them to normal functioning before the Ambrosia ransomware attack.
We believe this guide has been insightful in understanding and removing the Ambrosia ransomware. Although most ransomware attacks come without warning, some can be avoided by protecting your computer.
To protect your PC, ensure you have a powerful anti-malware installed in your PC. Also, do not open malicious email attachments or links, avoid freeware and pirated software, and use strong passwords to keep your PC safe.