The Spamhaus Ransomware infection is one of the more unique ransomware infections, in that not only does it block your from accessing your computer’s desktop and programs, but in the event that you are somehow able to access your files, it will have encrypted them so you cannot view them in any way. Thus, the Spamhaus Ransomware infection is incredibly dangerous, meaning it is crucial that the moment you discover you are infected, that you remove it immediately.
The Spamhaus Ransomware scans for any files ending with the .ddrw ,.pptm ,.dotm ,.xltx ,.text ,.docm ,.djvu ,.potx ,.jpeg ,.pptx ,.sldm ,.xlsm ,.sldx ,.xlsb ,.ppam ,.xlsx ,.ppsm ,.ppsx ,.docx ,.odp ,.eml ,.ods ,.dot ,.php ,.xla ,.pas ,.gif ,.mpg ,.ppt ,.bkf ,.sda ,.mdf ,.ico ,.dwg ,.mbx ,.sfx ,.mdb ,.zip ,.xlt extensions, to which they will then be encrypted. Once the ransomware encrypts a file, it will then rename the file as an HTML file, to which it will then embed the encrypted file inside of the file. Thus, once you try to launch the encrypted fault, you will be taken a web page (blocked by http://xblblock.com), and will be instructed to pay a “ransom” via a MoneyPak code.
At this moment, there isn’t a decryptor available for the files encrypted by Spamhaus Ransomware. Therefore, you will need to restore the files from a previous backup (and if you do not have one, we highly suggest you make a habit of backing up your data in the future). If there is not a backup available, your other option is to restore the file from a previous version in Windows. To accomplish this, you will need to rename the file to the original filename, right-click the file, select Properties, select Previous Versions, and select the file from the previous versions found. Once found, backup the existing encrypted file, restore it to the previous version, to which Windows will restore the older file and overwrite the encrypted one. It’s a long, roundabout way of obtaining your files, but in the end it’s worth it if you do not have a backup of your files.
Once you are looking at the Spamhaus Ransomware screen that appears when you attempt to boot into Windows, you will see the following:
“The Spamhaus Project
IP address: xx.xx.xx.xx
Tracking time: 1 w 10 h 03 m
Responsible agent: David C. Krehnke
Address: 18 Avenue Louis Casai CH-1209 Geneva Switzerland
You have 48 hours left to enter your payment.
You have lost control over your computer. Your system and all your files has been blocked and encrypted because you were spreading the Malware (viruses, trojans, worms).
You are breaking numerous International and USA laws.
Actions made by your computer backed up under United States law USA Patriot ACT
What exactly is The Patriot Act?
The Patriot Act is short for The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.
We have the right backed by law:
Sec. 201. Authority to intercept wire, oral, and electronic communications relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
With the support of the federal Bureau investigation department on cybercrime and the Supreme court of the United States of America. We have the legal right to scan and intercept any information going in and out of your computers.
You IP address (xx.xx.xx.xx) was identified and isolated by our organization in connection with a complaint to the involvement of distributed denial of service (DDoS) attack such organizations: NASDAQ and BATSS stock exchange markets and WIKILEAKS.ORG website. Such attacks caused $15 billion in damage. In order to isolate this infected files we have blocked your access to the outside world and your IP address was listed in our XBL Block List. You can not use the internet or any of your programs.
You have a chance to settle this issue right now before we contact the proper authorities. Within 48 hours, you can pay a fine of $300. All your files will be decrypted, and access to the computer will be granted, a claim for compensation from affected from affected companies will be removed and your IP (xx.xx.xx.xx) address will be restored to good standings with XBL Block List.
If you don’t pay a penalty within the next 48 hours, local authorities and secret service will be contacted, and most likely it will result in your arrest. You can and will be prosecuted to the fullest extent of the law in order to recover our losses. Do not take a chance to be convicted as a felon.
Our spamhaus agent has conducted a full check of your system and found following violations:
• You are a distributor of pornography and porno materials, regularly watch porno sites with child pornography and zoophilia.
• You possess unlicensed software and pirate audio and video records.”
Of course, this warning is false and you should never pay the $300 as instructed by the fake warning. PAYING THE FINE WILL NOT ONLY FUND CYBER CRIMINALS IN CRIMINAL ACTS SUCH AS THESE, BUT IT COULD RESULT IN YOUR IDENTITY BEING STOLEN. IF YOU HAVE PAID THE $300 VIA A MONEYPAK CODE, CONTACT MONEYPAK AND YOUR CREDIT CARD COMPANY/BANK IMMEDIATELY AND INFORM THEM OF THE SITUATION!
Removal Options for Spamhaus Ransomware Virus
Boot up Your Computer via ‘Safe Mode with Networking’
The first thing we need to do is to shut the computer down. Make sure the computer is completely off! Once the computer is turned off, we need to turn it back on and boot into Safe Mode with Networking
To do this, press the power button then immediately start tapping the F8 Key on your keyboard.
Within a few seconds, you will notice the Windows Advanced Options Menu. Using your arrow keys to choose the Safe Mode with Networking option, press Enter. (Screenshot provided below)
Log into Windows and View Desktop
Safe Mode with Networking will then load a variety of files and drivers, so do not worry as this is perfectly normal. You will then see your account’s user icon. Once you see it, log into your account to view your Windows’ Desktop as normally.
Open Your Web Browser (Internet)
You will now need to open your web browser, and nearly any web browser will suffice: Internet Explorer, Firefox, or Google Chrome for starters.
Download Trusted Removal Software
Download the Free or Paid Version of Malwarebytes Anti-Malware.
Install MalwareBytes Anti-Malware
Install MalwareBytes Anti-Malware as you would any other program. Once the installation process begins, the software may download new definitions and update the program, so give it a few minutes and allow it to update appropriately. Once the updates are completely and you are viewing the following screen below, you are ready to use it:
Run a Full Scan with MalwareBytes
Select the Full Scan box, then select Scan to begin the scanning for malware. Ensure drive C: is selected, then select Scan once more.
Look at the Infected Files
Once the scan is finished, select OK to look at the files then select Show Results.
Remove the Infected Files via MalwareBytes
You will now notice a variety of infected files and registry keys. Ensure the detected objects are selected, then select Remove Selected.
Reboot Your PC
MalwareBytes Anti-Malware will inform you that you must reboot. This is perfectly normal, and will provide the software with the opportunity to remove the infected files.
Boot Back into Windows
Your PC will now boot up as normally without the virus infected your machine. Open a few of your regularly-used software and ensure everything is working as normally.
Congratulations! All Finished!
We sincerely hope this guide has helped you. If you fixed your computer using our free guide, we ask that you support us by selecting one of our social share buttons or by commenting on our guide with your feedback below!
If you are uncomfortable making changes to your operating system, please contact an Expert!