Executioner (Cellat) is a ransomware-type virus encrypts various data and appends six random characters to a name of each encrypted file. For example, “sample.jpg” might be renamed to “sample.jpg.h80skl” or similar. Executioner (Cellat) then changes the desktop wallpaper and creates an HTML file (“Sifre_Coz_Talimat.html”), placing it in each folder containing encrypted files.
The wallpaper contains a ransom-demand message in Turkish stating that files are encrypted and that a ransom of the equivalent of $150 in Bitcoins must be paid to restore them. It is currently unknown whether Executioner (Cellat) uses symmetric or asymmetric cryptography. In any case, decryption without a unique key is impossible. Cyber criminals store this key on a remote server and victims are encouraged to pay a ransom to receive it. Research shows, however, that these people should never be trusted – cyber criminals often ignore victims once ransoms are submitted. Therefore, never attempt to contact these people or pay any ransom. There is a high probability that paying will not deliver any positive result and you will simply be scammed. Paying is equivalent to sending your money to cyber criminals – you simply support their malicious businesses. Unfortunately, there are no tools capable of restoring files encrypted by Executioner (Cellat). Therefore, you can only restore your files/system from a backup. We recommend using a Total Security approach such as Max Total Security to handle such nuisance.
The Executioner ransomware also known as Cellat ransomware is most likely spread via spam emails containing malicious email attachments, pdf attachments and Word documents prompting the user to enable Macros, etc. Most recent ransomware cases rely on this method of distribution because of its high success rates. Most users tend to be careless with suspicious emails which often lead to ransomware and malware infections.
However, there are other probable methods of infections that could be used by the creators of the Executioner crypto virus. A payload dropper which triggers its malicious script could be spread online. The ransomware may also be spreading the payload file on social media websites and file-sharing services. Another popular method of ransomware and malware distribution is via freeware packages where a program may be bundled with malicious programs.
To avoid infections of that kind, be extremely cautious when dealing with files downloaded from the Web as well as with emails sent by unknown or suspicious entities.