Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, March 18, 2015

Remove Ransom Virus and Restore Encrypted Files

Tell your friends:
There's a new particularly unpleasant variant of malware that it is well worth knowing more about in order to protect your data and operating system is the ransomware. First of all, let's clear one thing up about ransomware programs - they are not viruses, despite what many people think. A computer virus self replicates itself, while a ransom Trojan doesn't, however don't let this fool you into thinking they are not malicious - they definitely are! It uses a rather sophisticated cryptosystem to encrypt your files and then asks you to pay $300 or even more to have the files decrypted.

How does ransomware infect your computer?

It's being distributed with the help of Trojan downloaders and as a standalone piece of malware as well. As you may know, Trojan downloaders present themselves to you as programs that have a certain perceived value. They might be disguised as an invoice via email or as the latest must-play game app. They can also be embedded in websites, packaged with a program or software that you've downloaded, or attachments or links in spam emails or instant messages. Cyber criminals use various methods, including social engineering, to infect as many computers as possible. After all, it's pretty obvious more encrypted data = more money.

What does a ransom Trojan do? is not nice – that's for sure. It attacks your computer from within, destroying, corrupting or simply deleting your files, copying your data, slowing your operating system down until your PC is virtually unusable, changing your default settings and installing dew desktop icons or tool bars and generally causing you as much harm as possible. It can also install additional malware onto your PC, leaving your machine begging for mercy – and you tearing your hair out in frustration and sheer panic. This infection is actually very similar to the ransomware. The way both ransom viruses encrypt and change file extension to makes me think that they are somehow connected. However, I couldn't find any links between these two infections yet. One thing is known for sure - it does encrypt your files. It also leaves a ransom note with instructions on how to get your files back. It possible that an e-mail to or just might reply with instructions.

How to protect your PC from this ransomware

To increase the chances of staying as free as possible from ransomware you need to make sure that you are running a decent anti-virus or anti-malware program on your computer. Installing a firewall is also a good idea as this helps to prevent threats from connecting with your computer. The more protection and lines of defense the better. Of course, we hope we shouldn't have to say it, but don't open emails from unknown senders, and definitely don't click on attachments or links contained within them. Even if you do recognize the sender, it is still a very good idea to be cautious as you never know if the email is spam and designed to look like it comes from a trusted company or brand, or if a friend or co-worker has been hacked.

Is there a way to recover my files?

Unfortunately, at this time there is no way to decrypt the files without your unique decryption key which can be bought from cyber criminals for almost $300. Do not pay the ransom. Instead, follow the removal guide below how to salvage your data and clean your computer ASAP. There are a few tools that can help you to restore at least some of your files without paying a ransom.

And now you're done reading this, may I suggest that you back up all your files onto an external hard drive NOW. That way if you are unlucky enough to fall victim to ransomware, you'll be able to simply wipe clean your internal disk drive and replace it with up to date data.

If you have any questions, please leave a comment below. To remove ransom virus, please follow the steps in the removal guide below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing virus and related malware:

Before restoring your files from shadow copies, make sure ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.