A brand-new strain of malicious file-encrypting software appears to be targeting Windows computers, with a likely focus specifically on enterprise networks. The unique attributes of this particular crypto plague include the .eclr extension appended to filenames, as well as ransom terms differing from those of other known ransomware variants. The perpetrators in charge of this campaign are trying to extort an astonishing amount of money. In order to get all files decrypted, a compromised organization may be required to pay as much as 100 Bitcoins, which is more than 40,000 USD. This amount is firm-specific and depends on the number of workstations that underwent the destructive impact.
Unfortunately, some security solutions are unable to intercept the .eclr file virus because it employs a cutting-edge AV evasion mechanism. It suffices the ransomware to hit one machine for the entire corporate infrastructure to be paralyzed in a matter of hours or even minutes. The infection encrypts data on local drives and network shares with RSA or AES cryptographic algorithm. In the worst-case scenario, it can also encode offsite backups.
The ransomware encrypts files and adds .eclr extension
This ransom trojan creates two new files inside every folder with ciphered data. These are README_IMPORTANT.txt and secret.key. The former text document contains steps mandatory for file recovery. In particular, it says “Your files are fully encrypted. Make the payment of 100 Bitcoins to the BTC address below [Bitcoin address]. After we receive the payment the decryption program and key will be sent to your email. The decryption program will restore your files back to normal.”
An odd thing is that the extortionists are relying on communication over email to interact with the victims, as opposed to automated payment and recovery principle exercised by the majority of cybercrime actors spreading ransomware. The operators of .eclr file extension Trojan provide an email address, which is allegedly valid for only 48 hours. In other words, if the infected person or organization fails to pay up during 4 days, the important files will no longer be recoverable. As a proof that the attackers are able to restore the locked objects, they provide an option to decrypt one file that the victim sends them.
Since the encryption employed by .eclr malware implies generating high-entropy decrypt keys, no regular tools can retrieve them. On the other hand, the unthinkable size of the ransom is a huge obstacle to recovery. Most breeds of widespread ransomware hardly ever demand a fee of more than 2 BTC, but the sample under consideration seems to have nothing to do with common sense in this regard. Be sure to read the troubleshooting section of this article to learn how to get rid of .eclr extension virus and try to recover the most important files.
Remove .eclr ransomware with automatic cleaner
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
Download and install .eclr virus removal software. Having launched the solution, hit Start Computer Scan button
Download .eclr file ransomware remover
The tool will come up with scan results, reporting the detected malware. Select the Fix Threats option to remove all the infections that were found. This will lead to complete extermination of the virus under consideration.
Get encrypted files back
It has been mentioned that the .eclr ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that this infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Download Data Recovery Pro
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
Use Previous Versions feature
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
Apply ShadowExplorer
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Backups
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by .eclr malware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
Check for possible remnants of .eclr ransomware
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.
Download .eclr files Free Scanner and Remover