Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Sunday, June 14, 2015

Remove RSA-2048 Encryption Virus and Restore Encrypted Files

Tell your friends:
Today we're going to take a closer look at RSA-2048 encryption ransomware which is a particularly worrying internet danger, albeit it one that doesn't seem to attack with as much regularity as some of the other types. But that as may be, that's no reason to be blasé about it for if you don't take ransomware seriously and know a little bit more about how it operates, it could end up costing you a good deal of money.

Okay, I hear you. So what IS RSA-2048 encryption ransomware?

As with most malware, the clue is in the name. Ransomware that uses RSA-2048 encryption will infect you and then kidnap your documents, or hold your PC's operating abilities to hostage, and demand that you pay a ransom in order for it to release them or return your computer to its former working state. RSA-2048 is a very strong encryption algorithm used by cyber criminals. CryptoWall 3.0, Threat Finder, KEYHolder, CryptoLocker and a few other ransom viruses use this encryption algorithm. So, if you got a ransom note saying that your files are encrypted with a strong RSA-2048 key then you probably got one of these on your computer. Here are a few examples of ransom notes you may see on your computer:

RSA-2048 encryption virus or ransomware is disseminated just like most other malware programs: it might be spread by spam email that carries an attachment infected by ransomware, or a link in the body that goes to a malware infected website. Or it might be bundled with another program, file or application and will install itself on your PC at the same time as you download the program or app that you do want.

How do I know if I've been infected by ransomware which uses RSA-2048 encryption?

Firstly, trust us when we say that you WILL know if you have been infected by ransomware! The first thing you will notice is that you can't open a document or program or that your computer is simply refusing to work. You will then receive a ransom note in the shape of an email or a pop-up window telling you that you've been held to ransom. Sometimes this message will state that it comes from an organization such as the FBI or other law enforcement agency. And by this point you are probably sweating just a little bit.

Why would the FBI be interested in me? In order to convince you to pay their demands, ransomware programmers will tell you that you have been caught downloading pirated software or visiting a website that contains material of an illicit nature and that you are now subject to a fine. The one thing to remember is the FBI, or similar agency, does not employ such methods so DON’T pay anything. Instead take your computer to a local tech store and they should be able to help.

So what should you do your files have been encrypted using RSA-2048?

Easy to say, but try not to panic and most definitely do not pay any money unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer, Recuva and some other specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that cyber crooks will recover your files.

These days you don't have to have a particular interest in computers to know that there are a multitude of dangers on the internet waiting to do us harm. Computer programmers with bad intentions are constantly dreaming up new ways in which they can wreak havoc on our PCs, scam us out of our money, steal our identities and simply cause us untold levels of stress and upset. The problem is that with so many different types of malware out there, how do we know what to do to protect ourselves from getting caught out? Well, it might not be fun but the best form of protection is to learn as much as you can about these various forms of malicious software so you know how to best avoid being taken in by something. If you have any questions, please leave a comment below. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.

Written by Michael Kaur,

Step 1: Removing RSA-2048 encryption virus and related malware:

Before restoring your files from shadow copies, make sure RSA-2048 Encryption Virus is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by RSA-2048 virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Unknown said...

Hello. I have this virus and there were files attached to every single folder on my computer. Last night i deleted all of them (like 20,000) and they didn't come back but today I realized the internet won't open at all. Any advice?

Admin said...

Hi, you should check your DNS settings.

Anonymous said...

Hi- Thanks for a simple yet insightful post. Will any of the following prevent the malware from attacking in the first place:

1. revoking admin rights for a user. Make yourself a normal user and use an admin login only when you have to install a program.
1.b (sub question) I am guessing that I may not be able to update my anti-virus signatures/install windows updates unless I am logged in as an admin.
2. Encrypting the hard disk.

In a recent situation, a spam blocker blocked emails that carried the infection via a word/excel file but a zip file got through and did the damage. Any thoughts on why this may have happened? Was that a vulnerability in the spam filter?

mag said...

I tried shadow Explorer. The earliest copy is dared after the ecription. Other idea?

Admin said...

@mag, download and run a program called Recuva (just google recuva). It's free and works in a slightly different way than Shadow Explorer.

Admin said...


1. I think revoking admin rights won't help because the virus will attempt to exploit vulnerabilities on your computer even if it's a guest account.

1b. There may be problems with updating your computer. Antivirus should work just fine.

2. That won't help because the virus will simply encrypt your already encrypted hard disk. Basically, it will encrypt any file found on your computer no matter if it's encrypted or not.

As for the spam blocker, I don't really know but I guess that it may not be able to scan zip files.

In order to mitigate the risks of being affected by ransom virus you should immediately check to make sure you are running the latest versions of Java, Flash, Reader, and have all the Windows security updates installed.