Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Tuesday, October 20, 2015

Remove Virus and Restore Encrypted Files

Tell your friends:
Whether you are running a massive corporation, work in a small or medium sized company, freelance remotely on your own or use your laptop for reading the sports results, gaming or shopping online for shoes, when you are connected to the internet, you are putting yourself in the way of danger and there is no real guarantee that you are safe from an attack by a hacker, malware or a virus. There are plenty of scams out there and phishing and social engineering are increasingly being used by cyber criminals to con hard working folk out of their money, identities or data. So with that in mind, let's now take a closer look at a particularly nasty variant of ransomware which encrypts your files and leaves the VIRUSFUCKEDYOURFILES.txt ransom note with email address and instructions on how to get your files back.

Cyber criminals and hackers know that there is big money to be made. The malware industry is big business and criminals are making full use of their questionable programming talents to reap their ill gotten gains. So where does that leave the likes of you and me? Unfortunately simply downloading an anti-virus program and then forgetting about it is no longer enough. After all no sooner has the latest version of an anti-virus program or security patch been released then a brand new piece of malware will be launched to combat the latest security measures. Take a moment to think about when the last time you updated your anti-virus was...

What is ransomware?

It is one of the more unpleasant types of malware that you can come across and it can really get the stress levels rising if you have been unfortunate enough to have fallen victim to it. Ransomware's goal is to con you into handing over a sum of money – usually a not inconsiderable sum of money either! In addition to this it can cause real damage to your files and PC's operating system. How does it achieve this: by playing on our insecurities and vulnerabilities.

As with so many of the other sorts of malware, the clue is in the name when it comes to understanding just what it is that ransom virus can do. If you have been infected, the program will take your files and programs hostage and hold them to ransom. It does this by attacking your operating system and then encrypting the data on your computer so that everything is rendered inaccessible. So, yes, that does mean that you will now be unable to open your files, personal documents, work PowerPoints or spreadsheets, and all of those lovely family vacation photos you also have stored on your device. It leaves a text file named VIRUSFUCKEDYOURFILES with the following information:

If you wish to get all your files back, you need to pay 3 BTC.
How to get bitcoins?
1. google bitcoin ATMs
2. google localbitcoins dot com
3. google: buy bitcoins
This is the only way to get your files back.
There’s no way to decrypt them without the original key.
The price is non-negotiable.
After paying 3 BTC and emailing the confirmation of payment you will be provided with a decoder.
If you don't trust me, you can email one of your files, I will decode it and send it back to you.
However, if the file you're requesting to decode is valuable, I will send you either a quote from it or a screenshot.
I apologise for any inconvenience caused.
Let me know if you want to proceed.
Thank you for cooperation.

This virus encrypts and renames files by adding unique ID and at the end of each file. Example of an infected PDF file: DOC The virus may also change file formats, for example from .pdf to .fff or something like that, so don't be surprised if you can't recognize new file format.

So what's the solution?

Obviously continually ensuring that your anti-virus and patches are all up to date is an absolute must but when it comes to defending yourself against a malware attack, educating yourself about the latest issues and staying alert are also essential. If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing virus and related malware:

Before restoring your files from shadow copies, make sure the ransom virus is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Use RakhniDecryptor tool from Kaspersky.

Method 4: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Anonymous said...

holly crap. why FBI cannot crack on the crooks? that is awful, they can trace back them by money transfers, even with bitcoins.

Zoran Popović said...

I have not any idea to decrypt ms access file, i cant use kaspersky software because it doesnt recognize mdb files, and i cant use Shadow Explorer, because it doesnt work with Windows XP Service Pack 3. i have not backup.
Help please!

Anonymous said...

make a copy of encrypted mdb file and change the .mdb in .xls for the copied file to recognize the encrypted file. After that all files encrypted will be decrypted no matter what extension have.