7ev3n Virus (Ransomware Removal Guide)

7ev3n virus is a new type of ransomware that has recently been found. 7ev3n virus encrypts personal data, renames file extensions with .R5A, and displays a lock screen on the computer which it infects. The lock screen contains a ransom note that demands 13 bitcoins to decrypt files. 13 bitcoins is the largest ransom demand to date for this type of computer infection.

7ev3n virus

7ev3n ransomware will also trash a Windows computer system that it infects. It modifies multiple system settings and boot options. It disables certain keyboard keys and system recovery options making it very difficult to remove. It is also nearly impossible to bypass the 7ev3n virus lock screen which adds more frustration to the 7ev3n removal process.

Unlike many common forms of ransomware 7ev3n ransomware is not currently wide spread and there are little reports of it being found. Some reports come from untrustworthy websites and forums known to host malware which can be dishonest and deceiving. This means that there is little research on the ransomware and that other websites may try to trick you into performing unnecessary tasks or purchasing software that cannot remove this virus.

When a computer becomes infected with 7ev3n ransomware the ransomware will scan all drives for files that match certain extensions. Once the ransomware finds matching files it will rename them into numbered sequences of .files with the .R5A extension. The files targeted by 7ev3n  ransomware include:

dbf, arw, txt, doc, docm, docx, zip, rar, xlsx, xlsb, xlsm, pdf, jpg, jpe, jpeg, sql, mdf, accdb, mdb, odb, odm, odp, ods

Once the ransomware has completed the encryption process it will display a ransom note on the lock screen. The ransom note demands 13 bitcoins to decrypt files. It displays instructions and the bitcoin address you must send the ransom to.

To make matters worse, 7ev3n ransomware will install several files in the %LocalAppData% folder that carry out certain tasks and contain signifigant information to the ransomware. These files are listed below:

7ev3n files

%LocalAppData%\bcd.bat
%LocalAppData%\del.bat
%LocalAppData%\system.exe
%LocalAppData%\time.e
%LocalAppData%\uac.exe
C:\Windows\System32\Tasks\uac
C:\Windows\System32\elsext.dll

7ev3n will also add a registry entry that disables keyboard keys and keyboard commands commonly used to troubleshoot and repair Windows like Alt+Tab, Ctrl+Shift+Esc, and the Run dialog. It also disables the Enter, Escape, Right Alt, Right Ctrl, Right Shift, Right Windows, Left Alt, Left Ctrl, Left Windows, F1, F10, F3, F4, Num Lock, and Tab keys. These registry keys are listed below:

7ev3n registry keys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{62EC9C46-634C-4957-8A5C-4566462D0CE6}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\uac
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\Users\[login_name]\AppData\Local\system.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" "Scancode Map" = "00000000 00000000 17000000 00003800 000038e0 00005be0 00005ce0 00003600 00001d00 00001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000"
HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys "Flags"  = 506
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "System"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" "rgd_bcd_condition"  = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" "EnableLUA"  = 0

How to remove 7ev3n virus

At the current time there is no solution to decrypt files for free. The 7ev3n removal process is also tedious and not very easy to perform. Common computer users may have difficulties removing 7ev3n ransomware from their computers. We have a virus removal hotline setup to help you remove threats from you computer. If you should have any issues please give us a call at 1-866-521-2427.

The best method to remove 7ev3n ransomware from your infected computer is to use a Windows installation disc to bootup your computer and enter repair mode found in System Recovery Options. Once in repair mode you should a list of recovery tools. You can also find repair mode by selecting f8, f10, f11, or other keys when your computer reboots on the reboot screen.

1. Click Command Prompt on the System Recovery Options menu to open the Recovery Command Prompt. Enter the following commands in the command prompt to enable recovery options again.

bcdedit /set {default} bootems yes
bcdedit /set {default} advancedoptions on
bcdedit /set {default} recoveryenabled on
bcdedit /set {default} bootstatuspolicy DisplayAllFailures 

2. When you have completed the first step type exit and reboot your computer into Safe Mode with Command Prompt. Once you are in the Command prompt you must perform the following tasks:

Delete files:

%LocalAppData%\bcd.bat
C:\Windows\System32\Tasks\uac

Rename files:

%LocalAppData%\system.exe
​C:\Windows\System32\Tasks\uac

Remove Registry values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" "Scancode Map"

3. Once you have completed all of the steps reboot your computer into Normal Mode and access your web browser to download scan and removal tools.

4. Download and Install Malwarebytes Anti-Malware software.

5. Open Malwarebytes and click the large blue Scan Now button to begin a scan.

6. Once the scan is complete click the Remove Selected button and Finish button afterwards. If Malwarebytes suggests that you restart your computer please do so.

7. Next, download and Install HitmanPro by Surfright.

8. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

9. When the HitmanPro scan is complete click the Next button and then click the Reboot button. *To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

Your computer should not be clean of this ransomware and repaired. If you have any questions please feel free to call our support hotline at 1-866-521-2427.


Sean Doyle

http://Botcrawl.com

Sean Doyle is an engineer from Los Angeles, California. Sean's primary focuses include Internet Security, Web Spam, and Online Marketing.