What is Eight file extension
.Eight file extension is a file extension that is used by the latest variant of Phobos ransomware. ‘Eight’ variant is very similar in its characteristics to other variants of this ransomware. It also encrypts files, and then renames them, giving them a new filename consisting of their old and ‘.id[user-id].[EMAIL].eight’ appended at the end. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data. To date, the following variants of Eight ransomware are known (they differ by contact email address): “.[use_harrd@protonmail.com].eight”, “.[petya20@tuta.io].eight”, “.[supportC4@elude.in].eight”, “.[decrypt2021@elude.in].eight”.
What is Eight ransomware
Eight ransomware is one of the variants of the Phobos ransomware. It appends the ‘.Eight’ extension to each file that it encrypts using a complex encryption mechanism. As its previous variants, it can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, Eight starts working in the background immediately. First of all, the virus configures the Windows so that it starts automatically every time the computer is turned on. Eight ransomware uses this mechanism to continue encrypting files if it was interrupted by turning off or restarting the computer. Further, the ransomware contacts its control server to send information about the infected computer and receive additional commands.
After all the preparatory steps are completed, Eight proceeds to the main thing, it begins to encrypt files. All files will be encrypted, regardless of where they are located, on the local disk or on a network-connected disk. That is, the contents of the following common file types can be encrypted:
.bsa, .3dm, .bay, .js, .odt, .sie, .dxg, .3ds, .sidn, .pptm, .kdb, .flv, .ptx, .vtf, .wri, .hplg, .hkdb, .mov, .pptx, .2bp, .wpd, .xls, .wn, .wmd, .cas, .epk, .xlsb, .litemod, .sum, .icxs, .sav, .iwd, .txt, .vpk, .rw2, .rgss3a, .qic, .cer, .apk, .xwp, .1st, .jpeg, .dwg, .wpd, .xlgc, .doc, .wbd, .xyp, .re4, .bik, .pdf, .rb, .wm, .wcf, .0, .xbplate, .zw, .png, .wmf, .accdb, .vpp_pc, .mpqge, .ods, .zdb, .xmind, .m4a, .m3u, .7z, .ltx, .raw, .zif, .wpl, .xld, .wp6, .kf, .dbf, .z3d, .xlk, .wbk, .csv, .gdb, .bar, .xpm, .xlsx, .svg, .lrf, .wbz, .ncf, .pst, .ff, .wpe, .wb2, .webdoc, .css, .wps, .wbmp, .xlsm, .psd, .wma, .mef, .wsh, .t13, .x3f, .raf, .pak, .zdc, .bc7, .dazip, .sidd, .xdb, .odc, .esm, .zabw, .mdbackup, .eps, .indd, .jpe, .lbf, .wp4, .bkf, .webp, .p7c, .jpg, .tor, .ai, .tax, .wmo, .sis, .desc, .mdf, .rwl, .iwi, .srf, .ysp, .x3d, .ybk, .wotreplay, .rofl, .map, .bc6, .cdr, .t12, .docx, .wmv, .wpt, .cr2, .dmp, .nrw, .wot, .wire, .lvl, .psk, .zi, .docm, .rar, .layout, .x, .rtf, .p7b, .odp, .xyw, .dcr, .mdb, .wp5, .forge, .wdp, .vfs0, .xmmap, .rim, .xdl, .xml, .w3x, .arw, .srw, .sid, .yml, .erf, .wgz, .orf, .zip, .cfr, .dba, .x3f, .xx, .itl, wallet, .wpa, .d3dbsp, .ws, .xy3, .xls, .pem, .wma, .xf, .itm, .ppt, .mcmeta
When a file is encrypted, the ‘.id[user-id].[EMAIL].eight’ extension is added at the end of its name, that is, if you had a file called ‘document.docx’, then a file with the name ‘document.docx.id[18A191C0-1517].[use_harrd@protonmail.com].eight’ will appear in its place. If you change the file name, just delete the added extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
Perhaps you found on your computer or its desktop new files called ‘info.txt’ and ‘info.hta’ that for some reason are not encrypted. Examples of such files are given below.
The full text of ‘info.txt’:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: use_harrd@protonmail.com.
If we don’t answer in 24h., send e-mail to this address: useHHard@cock.li
The full text of ‘info.hta’:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail use_harrd@protonmail.com
Write this ID in the title of your message 18A191C0-1517
In case of no answer in 24 hours write us to this e-mail:useHHard@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Criminals use the files to demand ransom from the Eight ransomware victims. The ransom demand message said that the victim’s files are encrypted. The authors of the ransomware demand a ransom in exchange for a key and a decryptor. Attackers offer to decrypt 5 files for free, but these files should not contain any valuable information. Of course, decryption of 5 files cannot guarantee that, after paying the ransom, the victim will be able to recover files affected with the ransomware.
Threat Summary
| Name | Eight ransomware |
| Type | File locker, Crypto malware, Crypto virus, Ransomware, Filecoder |
| Encrypted files extension | .id[user-id].[EMAIL].eight |
| Ransom note | info.txt, info.hta |
| Contact | use_harrd@protonmail.com, useHHard@cock.li, petya20@tuta.io, supportC4@elude.in, decrypt2021@elude.in |
| Ransom amount | $500-$1500 in Bitcoins |
| Detection Names | Trojan.Win32.Generic.4!c, Ransom:Win32/generic.ali2000010, Trojan.Ransom.Phobos, Win32:Malware-gen, Ransom.Phobos.S11618290, Win32/Filecoder.Phobos.C, Trojan.TR/Crypt.XPACK.Gen, W32/Phobos.8B03!tr.ransom, Trojan.Generic.elkak, Ransom.Phobos, Win32.Trojan.Filecoder.Lkec, Ransom.Win32.CRYSIS.SMA, Ransom:Win32/Phobos.V!MTB |
| Symptoms | Photos, documents and music won’t open. Windows Explorer displays a blank icon for the file type. Files called such as ‘info.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file.. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
| Distribution methods | Malicious e-mail spam. Drive-by downloading (when a user unknowingly visits an infected web-site and then malicious software is installed without the user’s knowledge). Social media posts (they can be used to mislead users to download malicious software with a built-in ransomware downloader or click a malicious link). USB stick and other removable media. |
| Removal | Eight ransomware removal guide |
| Recovery | Eight file recovery guide |
As we have already said, Eight ransomware is not the first in its series. The fact that to date, antivirus companies have not created a way to decrypt the encrypted files, and just have not found a 100% way to protect the user’s computers (otherwise how would you be on our site), indicates the complexity of the ransomware virus and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to find and remove Eight ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Eight ransomware, Restore .Eight files
If you encounter the malicious actions of Eight ransomware, and your files have been encrypted with ‘.Eight’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to say that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove Eight ransomware
- How to decrypt .Eight files
- How to restore .Eight files
- How to protect your PC from Eight ransomware virus
How to remove Eight ransomware
If your computer is attacked by Eight ransomware virus, the first thing you need to do is not to try to decrypt (recover) the encrypted files right away! First of all, you need to scan your computer for malware, find and remove Eight ransomware. For this, we recommend using free malware removal tools. It is better to use not one tool, but two or more. Below we provide the best malware removal utilities and brief instructions on their use.
Use Zemana Anti Malware (ZAM) to remove Eight ransomware
Zemana is a free utility that performs a scan of your machine and displays if there are existing trojans, worms, ransomware, spyware, adware and other malicious software residing on your system. If malicious software is found, Zemana AntiMalware can automatically remove it. Zemana doesn’t conflict with other antimalware and antivirus applications installed on your system.
Download Zemana AntiMalware on your system from the link below.
164029 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is finished, close all windows on your machine. Further, launch the setup file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as displayed in the figure below, click the “Yes” button.
It will open the “Setup wizard” that will assist you install Zemana Anti-Malware on the PC system. Follow the prompts and do not make any changes to default settings.
Once install is done successfully, Zemana AntiMalware will automatically start and you can see its main window like below.
Next, click the “Scan” button to perform a system scan for the Eight ransomware, other malware, worms and trojans. Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. While the Zemana Anti Malware program is checking, you can see count of objects it has identified as threat.
After the system scan is done, Zemana Anti Malware will show you the results. Make sure to check mark the threats which are unsafe and then press “Next” button.
The Zemana Anti Malware will remove Eight ransomware and other security threats and move threats to the program’s quarantine. After that process is done, you may be prompted to reboot your personal computer.
Remove Eight virus with MalwareBytes
We advise using the MalwareBytes AntiMalware (MBAM). You can download and install MalwareBytes Anti-Malware (MBAM) to find and remove Eight virus from your PC system. When installed and updated, this free malicious software remover automatically detects and deletes all threats present on the machine.
- Please go to the following link to download the latest version of MalwareBytes AntiMalware for MS Windows. Save it on your Windows desktop.
Malwarebytes Anti-malware
326382 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your browser will open the “Save as” prompt. Please save it onto your Windows desktop.
- Once the downloading process is complete, please close all applications and open windows on your personal computer. Double-click on the icon that’s named mb3-setup.
- This will open the “Setup wizard” of MalwareBytes Free onto your PC. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti-Malware will start and show the main window.
- Further, press the “Scan Now” button to perform a system scan for the Eight virus, other malware, worms and trojans. This procedure can take some time, so please be patient. When a malware, adware or potentially unwanted apps are found, the number of the security threats will change accordingly. Wait until the the checking is complete.
- Once the system scan is complete, MalwareBytes Free will open a scan report.
- Review the results once the utility has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click the “Quarantine Selected” button. When finished, you may be prompted to restart the PC.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Remove Eight from personal computer with KVRT
If you have already used some malware removal tools, they found and removed malicious software, then in order to be 100% sure that the computer no longer has Eight ransomware virus, we recommend using the Kaspersky virus removal tool (KVRT). This utility, as its name suggests, is designed by the Kaspersky lab and uses the core of the Kaspersky Antivirus. Unlike the Kaspersky Antivirus, KVRT has a smaller size and, most importantly, it can work together with an already installed antivirus software. This utility has great capabilities and therefore we recommend using KVRT in the last turn to be sure that the Eight crypto malware has been removed.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the link below.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is complete, double-click on the KVRT icon. Once initialization procedure is done, you’ll see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan for the Eight ransomware and other known infections. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the tool is checking, you can see how many objects and files has already scanned.
After that process is finished, KVRT will produce a list of unwanted applications and ransomware virus as on the image below.
In order to remove all items, simply click on Continue to start a cleaning task.
How to decrypt .Eight files
Files with the extension ‘.Eight’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Unfortunately, today there is no way to decrypt files encrypted by Eight ransomware virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the Eight ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the Eight ransomware) in order to decrypt locked personal files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .Eight files
If all your files are encrypted with .Eight file extension, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use ShadowExplorer to recover .Eight files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Eight ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Please go to the link below to download ShadowExplorer. Save it on your Desktop.
438663 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is finished, extract the saved file to a folder on your PC system. This will create the necessary files as shown on the image below.
Start the ShadowExplorerPortable program. Now select the date (2) that you want to recover from and the drive (1) you wish to restore files (folders) from as on the image below.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and click the Export button as displayed in the following example.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to restore .Eight files
There is another way to recover the contents of the encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec by clicking on the link below.
Once the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen like below.
Choose a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music like the one below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as shown in the following example.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from Eight ransomware virus
Most antivirus software already have built-in protection system against the crypto malware. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from Microsoft Windows XP to Windows 10.
Download HitmanPro.Alert on your Microsoft Windows Desktop from the following link.
After downloading is complete, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is launched, you will be shown a window where you can choose a level of protection, as on the image below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Eight ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .Eight files; how to recover the encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Eight virus related issues, go to here.
