Remove Sorebrect Ransomware | Updated

APTFilter AVGNews CERT-LatestNews FSecureNews KasperskyNews Malware McAfeeNews Security News SocialEngineering SophosNews SymantecNews ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic TrendMicroNews Uncategorized VulnerabilitiesAdobe VulnerabilitiesAll VulnerabilitiesApple VulnerabilitiesApplications VulnerabilitiesCisco VulnerabilitiesCrypto VulnerabilitiesDBMS VulnerabilitiesFirmware VulnerabilitiesGoogle VulnerabilitiesHardware VulnerabilitiesLinux VulnerabilitiesMicrosoft VulnerabilitiesMozilla VulnerabilitiesNetwork VulnerabilitiesOS VulnerabilitiesVMWare VulnerabilitiesVOIP

I wrote this article to help you remove Sorebrect Ransomware. This Sorebrect Ransomware removal guide works for all Windows versions.

Sorebrect ransomware is a fileless win-locker. The virus is comprised of code strings. It exploits the built-in encryption mechanisms of the Windows operating system (OS). Sorebrect ransomware was discovered recently upon investigating attacks on enterprises. The attacks are targeted at companies, rather than private users. Researchers first spotted the win-locker in the Middle East. Since then, the clandestine program has been found in several countries, including Kuwait, Lebanon, Croatia, Italy, Russia, China, Taiwan, Japan, Mexico, Canada and the USA. As the infection is steadily spreading across the world, security experts warn people to raise their guard.

Sorebrect ransomware is distributed through an unusual propagation vector. The hackers behind the virus scan a targeted network. They have the technology to identify a machine with weak credentials for remote desktop access. By obtaining tested pre-generated pairs of user names and passwords, they gain access to the network and obtain administrative privileges. This gives them the ability to install and remove software. Experts have found that Sorebrect ransomware targets the svchost.exe process. This is an important Windows component. It hosts other system processes. To enhance your level of protection, you need to improve your methods for generating login credentials.

Sorebrect ransomware encrypts different file formats. The target range encapsulates text documents, images, videos, audios, databases, logs, compressed archives, zipped folders and other data carriers. The virus appends the .pr0tect file extension to the original names of the encrypted objects. A lot of win-lockers add a custom suffix to the titles of the targeted files. For the victim, this makes it easy to identify the corrupted data. The code inserted into the svchost.exe process deletes the binary which makes the win-locker fileless.

As we alluded to earlier, the creators of Sorebrect ransomware are proficient in coding. They have advanced knowledge of how the Windows OS functions. Malware analysts have discovered that the win-locker exploits legitimate system processes. The virus injects malicious codes into them which facilitates the encryption task. Another notable specification is that the win-locker does not leave a digital fingerprint on the infected machine. This is one of the measures it takes to avert detection.

The attackers can exploit PsExec and Remote Desktop Protocol (RDP). The latter is a method which makes it easy to perform the intended operations. It helps execute commands from the remote server. PsExec is a Microsoft Sysinternals utility. Sorebrect ransomware uses it to launch a command-line which starts the encryption task. When the virus has finished locking files, it drops a ransom note to inform the victim what has happened and explain what he is required to do. The note is titled READ ME ABOUT DECRYPTION.txt. The win-locker places a copy of it in every folder which contains encrypted data.

Sorebrect ransomware assigns a unique 128-character ID to each victim. You have to send it to the hackers when requesting the decryption key. Different versions of the win-locker list separate email accounts: [email protected] and [email protected] The cyber criminals communicate with users through a command and control (C&C) server. When you contact them, they will tell you how much you are required to pay. The payment website is hosted on the Tor network. The sum has to be transferred in Bitcoins. The special conditions have been devised to protect the identity of the cyber thieves. Experts have not been able to create a custom decrypter for Sorebrect ransomware yet. Still, victims have the option to recover their files with the help of a backup.

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Sorebrect Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panel


  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Next

    system restore

  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Sorebrect Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete