Remove SuperBlack Ransomware

SuperBlack is a ransomware variant likely derived from LockBit 3.0, observed in cyberattacks between January and March 2025. This malware encrypts files, appends random-character extensions to filenames, and demands ransom in exchange for decryption keys. Additionally, it exfiltrates sensitive data, threatening victims with leaks if they refuse to pay. The ransomware is linked to a suspected Russian-speaking threat actor known as “Mora_001,” who primarily exploits Fortinet firewall vulnerabilities to infiltrate systems.

SuperBlack Ransomware Summary

Category	Details
Threat Name	SuperBlack Ransomware
Threat Type	Ransomware, Crypto Virus, File Locker
Encrypted File Extension	Random character string (e.g., .fB1SZ2i3X)
Ransom Note Filename	[random_string].README.txt
Associated Email	None (contact via Tox chat)
Detection Names	Avast (Win32:RansomX-gen [Ransom]), Combo Cleaner (Trojan.GenericKDZ.107474), ESET-NOD32 (Win32/Filecoder.BlackMatter.), Kaspersky (HEUR:Trojan-Ransom.Win32.Generic), Microsoft (Ransom:Win32/Lockbit.HA!MTB)
Symptoms of Infection	Files renamed with random extensions, inability to open encrypted files, ransom note on desktop, system slowdown
Damage	Data encryption, risk of sensitive information leaks, financial loss
Distribution Methods	Phishing emails, malicious attachments, trojans, drive-by downloads, compromised RDP servers, Fortinet firewall exploits
Danger Level	High

Upon execution, SuperBlack encrypts all accessible data, changes the desktop wallpaper, and drops a ransom note named [random_string].README.txt. Victims are warned not to tamper with encrypted files or use third-party decryption tools, as doing so may cause permanent data loss. Cybercriminals behind this ransomware communicate through Tox chat, offering to decrypt a single file as proof that recovery is possible. However, paying the ransom does not guarantee data restoration, as attackers often fail to provide decryption tools even after receiving payment.

---

SuperBlack Ransom Note

>>>> Your data are stolen and encrypted!

>>>> Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Your competitors or law enforcement may get them on the web.

Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Financial information including clients data, bills, budgets, annual reports, bank statements.
- Complete datagrams/schemas/drawings for manufacturing in solidworks format
- And more...

You can request the tree of files that we have.

>>>> You need contact us and decrypt one file for free, send a small file for test decryption with your personal DECRYPTION ID to tox chat:

>>>> Your personal DECRYPTION ID: 7FBC34A4128F7B75E19B7F2A4E1938A0
\n1)Download and install TOX chat: hxxps://tox.chat  \n2)Write to this tox id: DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815 and wait for the answer, we will always answer you.

>>>> DO NOT MODIFY FILES YOURSELF.  
>>>> DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.  
>>>> YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.  
>>>> YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.

---

Manual Ransomware Removal Process

Important: Manual removal is recommended only for experienced users, as incorrect actions can lead to data loss or incomplete removal of the ransomware. If unsure, consider the SpyHunter Removal Method for a guided, automated solution.

Step 1: Disconnect from the Internet

1. Immediately disable Wi-Fi or unplug the Ethernet cable to prevent the ransomware from communicating with remote servers.
2. This can prevent additional encryption or further infections.

Step 2: Boot into Safe Mode

For Windows Users

1. Windows 10/11:
   • Press Windows + R, type msconfig, and press Enter.
   • Under the Boot tab, select Safe boot and check Network.
   • Click Apply, then OK, and restart your PC.
2. Windows 7/8:
   • Restart your PC and press F8 repeatedly before Windows starts.
   • Select Safe Mode with Networking and press Enter.

For Mac Users

1. Restart your Mac and hold the Shift key immediately after the startup chime.
2. Release the key when the Apple logo appears.
3. Your Mac will boot in Safe Mode.

Step 3: Identify and Terminate Malicious Processes

Windows

1. Open Task Manager by pressing Ctrl + Shift + Esc.
2. Look for unusual processes consuming high CPU or memory.
3. Right-click on the suspicious process and select End Task.

Mac

1. Open Activity Monitor (Finder > Applications > Utilities > Activity Monitor).
2. Look for unknown or high-resource-consuming processes.
3. Select the suspicious process and click Force Quit.

Step 4: Delete Ransomware Files

Windows

1. Open File Explorer and navigate to:
   • C:\Users\[Your Username]\AppData\Local
   • C:\Users\[Your Username]\AppData\Roaming
   • C:\Windows\System32
2. Identify and delete suspicious files (randomly named or recently modified items).
3. Clear temporary files:
   • Press Windows + R, type %temp%, and hit Enter.
   • Delete all files in the Temp folder.

Mac

1. Open Finder and select Go > Go to Folder.
2. Type ~/Library/Application Support and check for unfamiliar files or folders.
3. Remove unknown .plist files from ~/Library/LaunchAgents.

Step 5: Remove Ransomware Entries from Registry or System Settings

Windows

1. Press Windows + R, type regedit, and hit Enter.
2. Navigate to:
   • HKEY_CURRENT_USER\Software
   • HKEY_LOCAL_MACHINE\Software
3. Identify and delete ransomware-related registry entries.

Mac

1. Open System Preferences > Users & Groups.
2. Select the Login Items tab and remove any unknown startup programs.
3. Check ~/Library/Preferences for malicious settings.

Step 6: Restore System Using a Backup or Restore Point

Windows

1. Press Windows + R, type rstrui, and press Enter.
2. Choose a restore point from before the infection and proceed.

Mac

1. Restart your Mac and enter macOS Utilities by holding Command + R.
2. Select Restore from Time Machine Backup and restore a safe backup.

Step 7: Attempt to Decrypt Files

• Check No More Ransom (www.nomoreransom.org) for available decryption tools.
• If unavailable, restore files from backups.

---

Automated Ransomware Removal with SpyHunter

If manual removal is too complex or risky, SpyHunter offers a safer, automated method for detecting and removing ransomware.

Step 1: Download SpyHunter

• Get SpyHunter from the official Enigma Software website.

Step 2: Install SpyHunter

1. Open the downloaded file (SpyHunter-Installer.exe or .dmg for Mac users).
2. Follow the installation prompts.
3. Launch SpyHunter upon completion.

Step 3: Run a Full System Scan

1. Click Start Scan Now to detect malware and ransomware.
2. Wait for the scan to complete and review detected threats.

Step 4: Remove Detected Ransomware

1. Click Fix Threats to remove identified ransomware components.
2. SpyHunter will clean your system automatically.

Step 5: SpyHunter’s Custom Malware HelpDesk

1. If ransomware persists, use SpyHunter’s Malware HelpDesk for custom malware fixes.

Step 6: Restore Files

• Use backups stored on external drives or cloud storage.
• If no backup is available, check No More Ransom for decryption tools.

---

Preventing Future Ransomware Attacks

• Keep backups: Use cloud storage or an external hard drive.
• Install a reliable security tool: SpyHunter offers real-time protection against malware.
• Enable Windows Defender or Mac security features for additional protection.
• Avoid phishing emails and unknown attachments.
• Regularly update Windows, macOS, and installed applications.

---

SuperBlack ransomware is a severe cyber threat that locks files and threatens data exposure. This ransomware is highly dangerous and often leaves victims without viable recovery options.

If you are still having trouble, consider contacting virtual technical support.