Infected with Iron Ransomware? Need to decrypt .encry files?

What is Iron Ransomware

Iron Ransomware, also known as Iron Locker, Iron Unlocker Ransomware, Maktub Ransomware, is a malware file encryptor, which locks users documents, photos, videos and other files using AES + RSA for the key, and then cybercriminals demand a 0.2-1.1 Bitcoins for decryption. In fact, real decryption is not guaranteed after payment. Ransomware virus creates a unique id for every infiltrated machine. Also, it creates a file !HELP_YOUR_FILES.HTML with a following content:

WARNING!
Your personal files are encrypted.
11:44:18
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.
Open http://y5mogzal2w25p6bn.mlor
http://y5mogzal2w25p6bn.mlor
http://y5mogzal2w25p6bn.ml
in your browser. They are public gates to the secret server.
The website can help you complete the decryption work automatically.
You could also send 0.2 BTC to 1cimKyzS64PRNEiG89iFU3qzckVuEQuUj
and contact this email recoverfile@mail2tor.com with below ID.
Write in the following personal ID in the input from on server:
5acf9aad008a15062d3685f5

Iron ransomware

Cybercriminals verify victims and show any information only after id confirmation. Design of their sites is very similar to previously distributed Maktub Ransomware, so we guess all listed viruses is a single “family”.

Maktub ransomware

All sites, specified in !HELP_YOUR_FILES.HTML contains additional information about decryption and payment:

During this time you need to make a payment or the price will be increased.

HELLO!
We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…

WE ARE NOT LYING!
It's easy to delete the program from your personal computer. But not one of the third party programs will be able to do the most important thing – to decrypt your files! In order to do this, you need to have the private master-key that only we have. And only we can restore all of your files.

HOW MUCH DOES IT COST?
We hope that you are convinced that we can decrypt all of your files. Now, the most important thing! The faster you transfer the money, the cheaper file decryption will be. At every stage of payment, you get 3 days or 72 hours. You can see the countdown in the right top corner. After the clock shows 00:00:00 you go to the next stage of payment and the price automatically increases. We only accept the electronic currency Bitcoin as a form of payment. Here is a table that shows the date of payment and the price. Your current stage is marked in yellow.

Stage Time of payment How much money should be sent
> 1 During the first 3 days 0.2 BTC (~$1200)
2 From 3 to 6 days 0.5 BTC (~$3000)
3 From 6 to 9 days 0.8 BTC (~$4800)
4 From 9 to 12 days 1.1 BTC (~$6600)
5 From 12 to 15 days 1.4000000000000001 BTC (~$8400)
6 (*) More than 15 days 1.7000000000000002 BTC (~$10200)

Fortunately, Maktub Ransomware doesn’t remove shadow copies and files from some directories, so you can restore some of encrypted files by windows recovery tools. If you find files with .encry suffix on your PC you should firstly turn off your Internet connection. If you want to found and remove Iron Ransomware and decrypt .encry files, please read our step-by-step manual

Iron locker

How Iron Ransomware infected your PC

Iron Locker can spread by hacking through an unprotected network configuration, using email spam and malicious attachments, fraudulent downloads, web injections, fake updates, repackaged and infected installers. Encryption inserts .encry suffix to every coded file. Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.

First of all, don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Iron Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to Iron Ransomware – files, folders, registry keys.

 

Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Step 2: Remove following files and folders of Iron Ransomware:

Remove following registry entries:

no information

Remove following files and folders:

iron_locker.exe
\crypto\asn1\
\crypto\bn\
\crypto\cms\
\crypto\conf\
\crypto\dsa\
\crypto\ec\
\crypto\ecdh\
\crypto\ecdsa\
\crypto\engine\
\crypto\err\
\crypto\evp\
\crypto\hmac\
\crypto\lhash\
\crypto\objects\
\crypto\pem\
\crypto\pkcs7\
\crypto\rand\
\crypto\rsa\
\crypto\stack\
\crypto\ui\
\crypto\x509\

How to decrypt files infected by Iron Ransomware (.encry files)?

Decrypt .encry files manually

Restore the system using System Restore

system restore

Although latest versions of ransomware can remove system restore files, this method may help you to partially restore .encry files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .encry files using shadow copies

stellar-data-recovery

  1. Download and run Stellar Data Recovery.
  2. Select type of files you want to restore and click Next.
  3. Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your files from ransomware

Most modern software can protect your data from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach to protect your files from ransomware and lockers. One of the best is SOS Online Backup. The product will automatically find important files, then simply make a daily backup on the remote server. SOS runs quietly and automatically in the background and supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud. You will not lose your important data. Download One Year Plan.

SOS Online Backup

Information provided by Tim Kas

Leave a Reply

Your email address will not be published. Required fields are marked *