7ev3n

7ev3n targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the %LocalAppData% folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. This variant is unique in that it demands 13 bitcoins as payment, the largest ransom amount demanded thus far in a variant (bitcoin to US dollar conversion fluctuates daily, available here). It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n. The most recent version, 7ev3n-HONE$T, operates in much the same was as its predecessor, but uses different lock screens and drops its ransom demand to 1 bitcoin.

  • Bleeping Computer provides information on repairing damage done to a system after a 7ev3n infection, found here. Information about 7ev3n-HONE$T is available here.
     
  • Decryption tools for 7ev3n-HONE$T are available on GitHub, here.
     
  • Additional decryption tools for 7ev3n are available here and here.