ETHAN ransomware is a recently discovered malware strain belonging to the MedusaLocker ransomware family. It is a file-locking Trojan that encrypts data and appends the “.ETHAN” extension to affected files. Victims are presented with a ransom note named “READ_NOTE.html”, which demands payment in exchange for decryption.
This ransomware not only encrypts files using RSA and AES cryptographic algorithms but also exfiltrates sensitive data. If the victim does not comply with the payment demands, the stolen data is either leaked or sold. The ransom note warns against renaming or modifying encrypted files and using third-party decryption tools, as these actions could cause permanent data loss.
Threat Summary
| Attribute | Details |
|---|---|
| Name | ETHAN Ransomware |
| Threat Type | Ransomware, Crypto Virus, File Locker |
| Encrypted File Extension | .ETHAN |
| Ransom Note File Name | READ_NOTE.html |
| Free Decryptor Available? | No |
| Cybercriminal Contact | QTox chat, fortisram@zohomail.eu |
| Detection Names | Avast (Win64:RansomX-gen [Ransom]), Combo Cleaner (Gen:Variant.Tedy.670488), ESET-NOD32 (A Variant Of Win64/Filecoder.MedusaLocker.A), Kaspersky (HEUR:Trojan-Ransom.Win32.Generic), Microsoft (Ransom:Win64/MedusaLocker) |
| Symptoms of Infection | Files are encrypted and renamed with a “.ETHAN” extension, ransom note displayed, inability to access files, demands for Bitcoin ransom. |
| Damage | File encryption, data theft, risk of identity theft, further malware infections. |
| Distribution Methods | Malicious email attachments, phishing scams, torrents, fake software updates, malicious ads. |
| Danger Level | High |
Remove
ETHAN Ransomware
With SpyHunter
Ransom Note Text
YOUR PERSONAL ID:
-
/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
All your important files have been encrypted!
Your files are safe! Only modified. (RSA+AES)
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.
No software available on internet can help you. We are the only ones able to
solve your problem.
We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..
We only seek money and our goal is not to damage your reputation or prevent
your business from running.
You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.
Contact us for price and get decryption software.
email:
fortisram@zohomail.eu
QTOX: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.How ETHAN Ransomware Infects Systems
ETHAN ransomware primarily spreads through phishing emails, drive-by downloads, and malicious advertisements. Attackers use social engineering tactics to trick victims into opening harmful email attachments or clicking on infected links. Common methods of distribution include:
- Email phishing campaigns with infected attachments (macros in Word, PDF files, etc.).
- Torrent downloads and files from peer-to-peer (P2P) sharing platforms.
- Fake software updates and illegal software activation tools.
- Malicious ads (malvertising) and compromised websites.
- Backdoor Trojans that install the ransomware payload.
How to Remove ETHAN Ransomware?
Remove
ETHAN Ransomware
With SpyHunter
Step 1: Enter Safe Mode with Networking
- Restart your PC and press F8 (or Shift + F8) before Windows boots.
- Select Safe Mode with Networking from the menu.
- Log in and continue to the next step.
Step 2: Use SpyHunter to Scan and Remove ETHAN Ransomware
- Download SpyHunter.
- Install and launch the application.
- Click Start Scan Now and wait for the scan to complete.
- Click Fix Threats to remove ETHAN ransomware.
Step 3: Remove Suspicious Programs from Control Panel
- Press Windows + R, type appwiz.cpl, and press Enter.
- Locate any suspicious or unknown programs.
- Click Uninstall and follow the prompts.
Step 4: Delete Malicious Registry Entries
- Press Windows + R, type regedit, and press Enter.
- Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Look for suspicious entries and delete them.
Step 5: Clear Temporary Files
- Press Windows + R, type %temp%, and press Enter.
- Delete all files in the Temp folder.
Step 6: Restore Encrypted Files (If Backups Are Available)
- If you have backups, restore files from an external hard drive or cloud storage.
- Try using shadow copies by running:
vssadmin list shadowsin Command Prompt.
Preventing ETHAN Ransomware Infections
To avoid future ransomware infections, follow these best practices:
- Regular Backups: Store copies of important files on external storage and cloud services.
- Use Reliable Antivirus Software: Keep your antivirus and anti-malware tools updated.
- Enable Email Filtering: Block phishing and spam emails that contain malicious attachments.
- Avoid Suspicious Links and Downloads: Do not open unknown email attachments or click random links.
- Update Software Regularly: Keep Windows and installed applications updated.
- Use Strong Passwords and 2FA: Secure your online accounts to prevent unauthorized access.
- Disable Macros in Microsoft Office: Prevent macro-based malware infections.
- Educate Employees and Users: Conduct cybersecurity awareness training.
Conclusion
ETHAN ransomware is a highly dangerous cyber threat that encrypts files and demands ransom payments while also stealing sensitive data. While removal is possible using SpyHunter or similar anti-malware tools, decrypting files without the attacker’s key is unlikely. The best defense is proactive prevention, including data backups, security software, and cautious browsing habits.
Remove
ETHAN Ransomware
With SpyHunter
If you are still having trouble, consider contacting remote technical support options.
