7ev3n ransomware demands 13 Bitcoins in payment, wreaks havoc on Windows PCs

David Bisson

Researchers have uncovered a new type of ransomware that trashes victims’ Windows system and demands 13 Bitcoins in payment – one of the largest malware-based ransoms seen to date.

Lawrence Abrams of Bleeping Computer explains how the ransomware, which has been dubbed “7ev3n”, encrypts .DOC, .JPG, .PDF, and other common file types according to a unique process:

“When a computer is infected, the ransomware will scan all of the drive letters that match certain file extensions and when it finds a match rename them into numbered sequences of files with the .R5A extension. For example, if a folder contains 25 data files, the ransomware will encrypt and rename all the files to 1.R5A, 2.R5A, 3.R5A … 25.R5A.”

Once the ransomware has successfully infected a victim’s files, it displays a ransom message that demands 13 Bitcoins (approximately $5,100 USD). This note includes a Bitcoin address where ransom payments should be submitted:

Sign up to our newsletter
Security news, advice, and tips.

As if paying thousands of dollars in ransom weren’t bad enough, 7ev3n also installs a number of files to the %LocalAppData% folder. These include %LocalAppData%system.exe, which is the main executable of the ransomware; %LocalAppData%del.bat, which removes the ransomware’s installer; and %LocalAppData%time.e, which contains a timestamp of when the infection began.

The destructiveness of these files pales in comparison to that of %LocalAppData%bcd.bat, however. Included in that particular install are several BCDEDIT commands which disable a number of critical Windows recovery options, including the Windows Emergency Management System, the Boot Options Editor, and Startup Repair.

“Now that 7ev3n has effectively locked you out of any recovery options, it will also add a registry entry that disables keys commonly used to troubleshoot Windows such as Alt+Tab, Task Manager and the Run dialog. It does this by adding a special registry value that disables the F1, F10, F3, F4, Enter, Escape, Left Alt, Left Ctrl, Left Windows, Num Lock, Right Alt, Right Ctrl, Right Shift, Right Windows, and Tab keys.”

Clearly, this particular ransomware is not to be trifled with.

At this time, there is no way for a victim to recover their files without paying the ransom unless they have a backup.

Even after victims regain control of their computer, they must invest some time in resetting the damage caused by the ransomware. This involves the use of a Windows installation disc to reactivate the recovery options originally disabled by 7ev3n. Once this is complete, a user can then enter into Safe Mode and remove all of the files installed by the ransomware. Installing a reputable anti=virus program and letting it run on your computer should clean up the rest.

Clearly, not only are ransomware authors upping the ante with regards to their ransom demands. They are also designing their malware to leave a lasting impact on their victims’ machines.

With this in mind, users need to protect themselves by implementing regular software updates, maintaining an updated antivirus solution on their computers, and backing up their data often. These small steps could help save you thousands of dollars and a lot of time spent restoring your PC to a workable state.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

14 comments on “7ev3n ransomware demands 13 Bitcoins in payment, wreaks havoc on Windows PCs”

  1. Worth mentioning that backing up to an external drive, network drive etc, is no good, IF YOU LEAVE THE DISK CONNECTED. Those files will be encrypted too …
    I have a friend who was caught out by this. Ouch.

  2. Most PCs come without installation disks. How do you get one without paying hundreds of pounds for a new license ?

    1. You actually should be making your own install disk when you first boot up, Most new PC's ask you to creat them the first time you use the computer.

  3. Jim I was just about to ask, I store all files on a NAS drive so my PC only has the OS and application files installed so obviously any ransomware would have access to this drive too if connected. So it looks like on line storage or back to good old USB or DVD storage :-( I don't like the risks with either particularly

    1. I have a 2 drive NAS but own 3 drives. I change one on Sat mornings so at worse I only lose a week of stuff which would not be much here at home. I would hate to lose the Tb's of music I've been collecting since the Plextor 12-20 came out(I'm showing my age here lol )….

  4. If you get this DON'T do as the article suggests and do a repair.

    Format your HDD and reinstall from scratch.

    If you've got this, you are very likely to have some other dodgy stuff on our system.

  5. This makes you want to really vet any new executable file the PC is trying to get you to run. I assume that is the only way this ransomware can get onto your PC. I must admit, I was really surprised at how easy it is to run bcdedit – Windows should have locked this down with all sorts of unbypassable onscreen prompts.

  6. I would never "clean" an installation after an infection as serious as that, spend money on a new harddrive and reinstall.

    1. Really? Buy a new hard drive? That is a ridiculous response. Just wipe the drive and reinstall from scratch. Done. No need to buy new hardware.

  7. Here is a date which should worry you: July 29th 2016. This is the date Microsoft will start charging for Windows 10. Here is another date which should worry you more: July 17th, 2017. Why? Because it just made July 29th, 2016 one heck of a lot worse…

    Microsoft's new web browser reportedly tracks the websites you visit — even when you ask it not to

    Learn that Apple, Google & M$ are NOT the only computer/mobile operating systems in the world. There are other operating systems that are Free, Faster, Stable, Secure, Superior & far more advance, They are up2date, January 2016, Below


    1. Linux is not fast by any means of the word. It's a complete dog in fact. Kinda reminds me of some people I met that we running Vista and insisted on using AOL.

  8. for all the time and effort as well as money to recover, you might as well just dump that pc in a lake somewhere and buy a new one. you're welcome

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.