Learn how to handle the Spora ransomware, a sophisticated cyber adversary featuring a number of unique characteristics and a flawless extortion mechanism.

What is Spora ransomware?

In IT security terms, Spora has come to denote a violent file-encrypting ransomware. The name is a transliterated variant of a Russian word for “spore”. The conceptual ties are obvious for victims and malware researchers. The contagion is very toxic and it proliferates with a high infection rate. This malicious entity started spreading at the beginning of 2017 and has since taken root firmly enough to become one of today’s most harmful ransom Trojans. It arrives at Windows computers via a botnet that’s leveraged to generate massive spam waves. The files attached to these misleading emails pretend to be invoices, scanned copies of important documents, or similar subjects that recipients are likely to get interested in opening. In fact, the attachments are obfuscated HTA files that, once triggered, drop a JavaScript object into the Temp path of a targeted system. Then, another round of extraction results in firing a random-named executable.

Spora ransomware alert

Once this routine has launched the Spora ransomware, the infection does a tricky maneuver. While the process run by the malign EXE object is scouting the plagued workstation for important data behind the scenes, the victim will see a Microsoft Word file pop up out of the blue. This document displays a warning dialog stating that the file is corrupted. This is a clever move aimed at distracting the user from what’s actually going on in the background. In the meantime, Spora is looking for data types that correspond to popular formats, such as .jpg, .jpeg, .pdf, .sqlite, .doc, .docx, .xls, .xlsx, .rar, .zip, .rtf and a slew of others. Every such file is subject to encryption with a fusion of RSA and AES cryptographic algorithms. As a result, these data entries become inaccessible. Unlike many other ransomware programs out there, the Spora virus does not modify filenames as part of the data mutilation process – there are no extra extensions added, nor is anything prepended to the original names. And yet, the victim will quickly realize that their files got broken, because the infection leaves a ransom note and a .KEY file on the desktop.

Victim dashboard called the Client Page

The decryption how-to is an HTML file whose name matches the victim ID. The latter is a unique string of 25 hexadecimal characters assigned to every contaminated computer. Having opened the ransom note, the user will be presented with a screen that says,

“All your work and personal files were encrypted
To restore data, obtaining guarantees and support,
follow the instructions in your account.”

The window contains a Personal Area section (https://spora.bz or https://spora.biz), which requires that the victim enters the above-mentioned identifier to log into their Client Page. This page is a professionally tailored user console providing language selection, different data recovery plans, the option of restoring 2 files for free, a live support section, and up-to-date information on the current payment status. It’s too bad such a user-friendly dashboard serves such a nasty purpose.

Interestingly, the Spora ransomware collects certain types of user data and, based on that, puts every victim into one of six categories. Different ransom sizes apply to each of these clusters, so the infection will demand less money from a home user than it will from an organization. What is more, the threat actors deliver quality tech support. The agents are responsive and may even disable the ransom payment deadline if the infected user agrees to leave a positive review about the service. All in all, online extortion is getting worse in terms of technical complexity and interaction with victims. Unfortunately, there is no automatic decryptor to restore files locked down by the Spora ransomware. The good news is that there are specially crafted techniques that may do the trick for some of the ciphered files.

Automatic removal of Spora ransomware virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Spora removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the Spora ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Spora virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Spora virus scanner and remover

The post Spora ransomware: decrypt files and remove virus appeared first on Keone Software.

Learn how to minimize the risk when infected with the .crypted file extension virus and what can be done to restore the encrypted data beyond the ransom route.

Whereas the family of crypto lockers called Nemucod doesn’t exhibit any offbeat or particularly high-profile characteristics, the danger emanating from it should not be underestimated. The principal attribute that makes a random piece of ransomware successful is the correctness of implementing the cryptographic part of its modus operandi. The .crypted file extension variant of Nemucod is immaculate in this context. It efficiently leverages the RSA-1024 algorithm to prevent contaminated users from accessing their personal files. Under the circumstances, the only way to unscramble the data is to get hold of the private RSA key. The threat actors who own this key offer the victims to purchase it for 0.39 Bitcoins, which is equivalent to 240 USD at the time of writing. Consequently, a targeted person has to somehow deal with a bevy of inaccessible files with the .crypted string following the original filename and extension.

Folder with inaccessible .crypted files

Speaking of the contamination process, it is trivial by its essence but has a considerable conversion rate. The entities to look out for are files attached to spam. Cybercrooks engaging in online extortion contrive ways to generate big email volumes, where the messages are rogue payroll reports, invoices, traffic violation notifications, curriculum vitae documents or similar. As soon as an unsuspecting recipient double-clicks on the attachment, the execution of .crypted virus on the computer is a matter of seconds. The infection then traverses the local, removable and network-based drives in order to find the most popular types of data. Once it has the list, the crypto workflow takes effect. The structure of every such file is subject to disarrangement through cryptography, with complete inaccessibility being the ultimate objective.

Decrypt.txt ransom manual

The step-by-step recovery tutorial provided by the perpetrators appears on the PC’s desktop as well as individual folders that contain one or more encoded files in them. This document is titled DECRYPT.txt. It opens up with Notepad and first conveys the following warning message, “All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.39983 BTC.” In a nutshell, the victim needs to create a Bitcoin wallet, buy the right amount of cryptocurrency, send it to a particular Bitcoin address, open a page that hosts the decryptor, and run the tool to restore the data. Interestingly, the decrypt pages are regular websites rather than Tor gateways, unlike most ransomware samples at large. According to the ransom note, the user must submit the digital cash during three days otherwise the private key will supposedly be deleted from the Command and Control server.

Fortunately, there are restoration methods that do not counter the extremely strong encryption standard. Instead, they revolve around the use of data recovery software or Shadow Volume Copies, file backups made by the operating system.

Automatic removal of .crypted file virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .crypted files virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .crypted files ciphered by Nemucod ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the Nemucod virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download .crypted file ransomware scanner and remover

The post .crypted file virus decryption and removal tool appeared first on Keone Software.

The fourth generation of the Cerber ransomware is underway, dropping the Readme.hta ransom note and appending random extensions to one’s encrypted files.

The lineage of the highly dangerous Cerber ransom Trojan has been recently replenished with a new sample. The fresh spinoff has much in common with the other baddies that used to represent this family. In the meanwhile, it also exhibits unique characteristics that allow researchers to flag it as a standalone ransomware edition. These out-and-outer traits that have the biggest value analysis-wise include a different take on file format contortion, as well as the new way this infection now instructs its victims on recovery. As opposed to the formerly used uniform “.cerber3” extension, this iteration has come to concatenate a victim-specific random set of four hexadecimal characters to every data object that underwent enciphering. Therefore, a victim may see something like utTNNgp574.96b3 instead of an arbitrary personal file.

Readme.hta and ciphered files are straightforward indicators of compromise

It’s unclear why this additional layer of randomization has been introduced in the latest variant, but it has become the inalienable property of the Cerber ransomware virus. The filename muddling effect, by the way, is identical to the way the predecessor would handle hostage files: the Trojan replaces the initial values with a gibberish 10-character string. This wouldn’t pose much of a problem if it weren’t for the fact that each entry is also encrypted. So, editing filenames, which seems like a no-brainer, is also a no-go as far as data restoration is concerned. Cerber v4 leverages an unbreakable crypto routine to scrambling one’s files. Although the Advanced Encryption Standard (AES) is considered to be weaker than the asymmetric RSA algorithm, it is still virtually impossible to crack as long as it’s implemented the right way.

Recovery steps listed on the desktop

Another new feature that surfaced in the current 4.1.1. version of Cerber is the principle of providing the walkthrough to decrypt files. The ransom manual is no longer a combo of three documents in different formats. Instead, it’s a single file called Readme.hta. Because this is, in essence, an HTML application, it delivers some degree of user interaction. For instance, an infected person can now select their native language inside the interface. The rest of the instructions have hardly changed. The extortionists still upsell a tool named “Cerber Decryptor” via a secure Tor page. Therefore, victims are told to install the Tor Browser Bundle and visit their personal page – a choice of three corresponding URLs is provided in Readme.hta pane.

The Cerber Decryptor page displays down-to-earth details on data reviving options. The original ransom amount to submit is 1 Bitcoin, or about 600 USD. That’s a “special price” valid for five days since the encryption event. After the deadline, the ransom doubles and thus reaches 2 Bitcoin. For the user to keep track of the time left, the page contains a graphical countdown component. All in all, this is still a nearly immaculate compromise that’s hard to tackle after the fact. Fortunately, there are several applicable methods to unencrypt the locked random extension files. Keep reading this post to learn more.

Automatic removal of the Readme.hta (Cerber) virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Readme.hta virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the Readme.hta ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Cerber virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Readme.hta virus ransomware scanner and remover

The post Readme.hta virus: decrypt Cerber 4.1.1. ransomware appeared first on Keone Software.

The .thor extension denotes files encrypted by a new variant of Locky ransomware, which now creates _WHAT_is.html/.bmp ransom notes and demands 0.5 Bitcoins.

What is .THOR file virus?

The nuts and bolts of the illegal ransomware business is to distribute a Trojan that encrypts one’s personal data and then demand cryptocurrency for decryption. There are numerous families of these infections prowling the Internet. The Locky breed is currently somewhere on the apex of the digital extortion food chain. It has spawned five different versions since February 2016. The one dubbed Thor is the latest iteration, having emerged in late October and rapidly picking up the pace over the last few days. This edition got its name from the .thor extension that it affixes to the targeted files. Like its antecedent, it also drastically changes filenames, that is, the values that precede the extensions. Ultimately, Thor will turn a victim’s regular document, image, video or database into something like SU7DRHCB-EG3N-Y5GZ-00F1-6E1D0931FA25.thor.

_WHAT_is.html ransom note and desktop wallpaper changed by Thor virus

Recovery manuals tend to change with every new version of Locky. Its new sockpuppet creates several editions of the ransom notes, namely _WHAT_is.html, _WHAT_is.bmp, and _[random_number]_WHAT_is.html (e.g. _71_WHAT_is.html). The first two will appear on the desktop, and the one with a numeric value in its name is added to individual folders. The essentials of these instructions include the warning proper, according to which the user’s files are encrypted with RSA-2048 and AES-128 ciphers. Unfortunately, this is a truthful statement, therefore brute-forcing of the private keys is not a very realistic undertaking. Furthermore, the victim gets a couple of .tor2web.org and .onion.to links that resolve the Locky Decryptor page. Be advised these are only accessible via Tor Browser that ensures anonymization of online connections.

Locky Decryptor page with ransom payment tips

The aforementioned personal page is intended to streamline the process of paying the ransom. The bad guys leverage it to upsell a tool called the Locky Decryptor, where the price may vary but usually won’t exceed 0.5 Bitcoins. The use of digital cash is another anonymization component of the extortion routine that keeps the criminals from being tracked down and busted.

The circulation of the Thor ransomware in the wild is not as technically sophisticated as one might imagine. Rather than employ complex hacking techniques, the threat actors rely on social engineering and thus exploit human vulnerabilities, so to speak. It turns out, this vector has a high rate of successful malware installations. The spreading framework engages a massive phishing campaign. The targeted users receive legit-looking emails camouflaged as receipts, invoices, delivery reports and the like. Once a user double-clicks on the attached file, a covert VBS or JS script will download the Thor virus to the machine. The rest of the attack is mostly a matter of a series of obfuscated events that the victim isn’t likely to thwart. The Trojan scans the computer and the network for personal files, encrypts them and starts alerting the user via its ransom notes.

Although none of the Locky versions has been decryptable for free, and Thor is no exception, there is a glimmer of hope that users can get their files back. Use the self-help sections below to see if you can restore .thor files without paying up.

Automatic removal of the .thor virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .thor files virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .thor files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Thor (Locky) virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Thor ransomware scanner and remover

The post .THOR file virus ransomware decryptor and removal appeared first on Keone Software.

Files with .zzzzz extension are inaccessible because they are encrypted by the latest version of the Locky ransomware, which requests Bitcoins for decryption.

What is .zzzzz file ransomware?

It’s difficult to question the usefulness of cryptography. It has numerous benign applications in the realm of safeguarding sensitive data. The evolution of malicious software, however, caused this conventional state of things to turn upside down. When the scourge of ransomware emerged on the computer threats arena, it became obvious that the inherent strength of cryptographic algorithms had the evil potential to wreak havoc with users’ proprietary files rather than protect them. One of the data-encrypting hoaxes called Locky has become a buzzword that denotes an uncrackable ransomware on steroids. This family tends to continuously mutate, with distinct tweaks being made to its code and activity patterns every so often. In the course of the most recent update, Locky has assumed the form of a crypto infection that adds the .zzzzz extension to one’s files and drops the -INSTRUCTION.html and -INSTRUCTION.bmp ransom notes.

Multiple .zzzzz files and -INSTRUCTION.html ransom notes

The way the Locky/zzzzz ransomware infiltrates computers isn’t a matter of reinventing the wheel. Its operators are really good at social engineering, so they opt for a payload distribution tactic that relies entirely on human curiosity and gullibility. The carrier of the contagion is spam that delivers a ZIP archive with a malicious JavaScript file inside. The bad guys may disguise this attachment as a spam mailout log detailing the alleged offending activity from the recipient’s email account. There are other themes of these tricky messages, including bogus local company representation offers, CVs, receipts, invoices, paychecks and the like. A standalone campaign is being currently conducted via Facebook, where users receive a malware-tainted .svg photo that downloads the crypto baddie when opened.

The Zzzzz ransomware still redirects victims to invariable Locky Decryptor page

The Zzzzz virus literally fleets across a computer once the compromise has taken place. It scans the hard drive, removable media and all cloud drives for hundreds of data formats in order to locate the entries that matter to the victim the most. All files that match the ransomware’s built-in whitelist of targeted extensions then become crippled through the use of two different cryptosystems. The virus utilizes the RSA-2048 and AES-128 standards to make it impossible for the user to open, edit or otherwise process their personal files. On the outside, the changes are drastic as well: filenames get substituted with weird-looking lines of 32 hexadecimal chars suffixed by .zzzzz.

The ransomware creates the aforementioned -INSTRUCTION.html and -INSTRUCTION.bmp files on the desktop to tell the victim what they must do to decrypt their information. Additionally, a document named _[random_digits]-INSTRUCTION.html will be dropped into encrypted folders. According to these manuals, the user is supposed to download and install the Tor Browser bundle, copy and paste their personal recovery link into this anonymous web navigation client, and then follow the steps listed on the site called Locky Decryptor. In a nutshell, the buyout deal implies paying 0.5 Bitcoin to a specified cryptocurrency wallet and then downloading the automatic decryption software. No one can guarantee that the procedure will be as smooth as this, so think twice before submitting the money to the attackers. Try a few workarounds instead (see below). The applicable restoration methods revolve around forensic tools and file snapshots made by Windows earlier.

Automatic removal of the .zzzzz virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .zzzzz files virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .zzzzz files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the Zzzzz virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download .ZZZZZ file ransomware scanner and remover

The post How to decrypt .zzzzz files virus: Locky/zzzzz ransomware appeared first on Keone Software.

Although the authors of the new Osiris ransomware sell their decryptor to victims for Bitcoins, it may be possible to restore .osiris files in a different way.

What is OSIRIS ransomware?

The lineage of the Locky ransomware derivatives has been supplemented with another sample lately. The currently active objectification of this uncrackable strain uses the .osiris extension to brand all encrypted files, hence the name of the edition. The new extension, though, is not the only change visible to the naked eye. The Osiris variant also leaves a different set of ransom notes. As opposed to the previous iteration, the ransomware now leverages one format for the data recovery manual. It creates help files called OSIRIS-[4_chars].htm, where the variable string is composed of random hexadecimal characters. Yet another evident alteration is the pattern of jumbled filenames, which now consist of 5 groups of characters separated by double hyphens.

Osiris ransomware attack is a scary predicament

Just like before, the Osiris file virus embeds a graphical edition of the ransom note into the victim’s preferred desktop wallpaper. The scary effect from this activity is intended to make the infected user scrutinize the decryption steps even if they don’t open the HTM ransom notes. According to the walkthrough, the recovery presupposes that the user installs Tor Browser and visits their personal Locky Decryptor Page. The use of this particular browser, rather than a regular one, makes the traffic anonymous and therefore keeps the attackers from being tracked down.

When on the Locky Decryptor Page, the victim will see a bunch of links to Internet resources that provide Bitcoin exchange services. By purchasing 0.5 BTC and sending the cryptocurrency to the adversary’s Bitcoin address, the user will supposedly be able to get the automatic decryption tool that’s claimed to reinstate all the .osiris files on the plagued computer.

Locky Decryptor Page design

The Osiris ransomware is spreading via a social engineering hoax. The threat actors in charge have launched a massive spam campaign disseminating contagious Excel documents to thousands of people around the globe. The spreadsheet attached to these emails is disguised as an invoice. If a user chooses to open this .xls file, what they will see is a blank document that generates a security warning. This notification says that macros have been disabled and recommends the user to click the “Enable Content” button. By hitting this button, the victim unwittingly activates a macro that downloads a DLL installer of the Osiris infection.

Unfortunately, the cryptographic side of Osiris is immaculate. Therefore, there is no way to circumvent the RSA-2048 and AES-128 algorithmic hurdle unless the private RSA key is added to the mix. This decryption key resides offsite, so the attacker is the only one who has it. Nevertheless, it may be possible to get .osiris files back by means of alternative recovery mechanisms.

Automatic removal of the Osiris virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .osiris file virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .osiris files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the Osiris virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Osiris ransomware scanner and remover

The post OSIRIS virus: files decryption and ransomware removal appeared first on Keone Software.

A new 2016 version of the Cryptolocker virus is in rotation, leaving ‘Your files are locked !.txt’ ransom notes and providing email address for more instructions.

What is Cryptolocker virus?

The cybercriminals engaging in today’s most nefarious rip-off scheme don’t seem to stop coining spinoffs of Cryptolocker, one of the earliest samples of file-encrypting ransomware. Its reputation, obviously, encourages crooks to follow suit and even dub their perpetrating products the same way. The latest contrivance in the range of these copycats is a Cryptolocker variant that creates ransom notes called “Your files are locked !.txt”. This user interface of this sample also contains a couple of support emails, which may include suppteam03@india.com, suppteam03@yandex.com, suppcop@india.com, or suppcop@yandex.ru. The ransomware pane also features a ticking timer that indicates the deadline for paying the ransom so that the victim’s files can be decrypted. Interestingly, filenames do not change as a result of this attack.

New Cryptolocker ransomware window

Researchers have labeled this particular strain as PClock. It intimidates the infected users with a warning that reads

Your personal files encryption produced on this computer: photos, videos, documents, etc. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt your files you need to obtain the private key.

Unfortunately, this alert does reflect the actually state of things. The new Cryptolocker 2016 leverages a strong asymmetric cryptosystem that cannot be cracked unless a unique private key is at the victim’s disposal. This chunk of data resides on the criminals-controlled server. So the compromise is certainly a huge predicament that results in the inaccessibility of an infected users’ personal data.

Your files are locked !.txt ransom manual

Computer users reportedly discover that their files have become locked after they visit their usual sites, including social networks, anime web pages and other resources providing streaming content. This fact points to a drive-by vector of the attacks. Most of the time, the would-be victims get persistent popups from the page they are on. This is a way to masquerade the malicious payload as if it were some routine request that needs authorization. In some cases, though, the ransomware arrives with spam. The attachments, which are disguised a payrolls, receipts, complaints and the like, evoke natural curiosity of the recipients. Once opened, they execute the infection.

Again, the criminals in charge of the updated Cryptolocker 2016 implement the cryptographic part of their attacks professionally. Therefore, experts have not found any algorithmic flaws as of yet, which means that data decryption isn’t possible unless the user has the relevant RSA key. The ransom walkthroughs explicated in “Your files are locked !.txt” documents tell the victim to submit 0.55-0.85 Bitcoin to their wallet. Then, the user is supposed to send an email to one of the support addresses in the ransom notes (suppteam03@india.com, suppteam03@yandex.com, suppcop@india.com, or suppcop@yandex.ru) in order to get further directions from the threat actors. Rather than start with this method, though, it’s recommended to try alternative techniques first. See below for details.

Automatic removal of Cryptolocker (Your files are locked !.txt) virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Cryptolocker removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the Cryptolocker ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the Cryptolocker virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Cryptolocker virus scanner and remover

The post Decrypt Cryptolocker 2016 virus ransomware appeared first on Keone Software.

Get up-to-date information about the latest edition of the Crypt0L0cker ransomware and restore random 6-character extension files encrypted by this infection.

What is Crypt0L0cker ransomware?

Crypt0L0cker is one of the oldest copycats of the ransomware strain that came to denote file-encrypting malware as such. Its prototype called CryptoLocker is associated with the first major outbreak of this perpetrating software cluster in general. Discovered back in 2013, the infrastructure behind the original variant was dismantled in the course of a law enforcement effort dubbed Operation Tovar in May 2014. However, the malicious business model ended up moving on afterwards. The most harmful and widespread adherent of the bad craft was Crypt0L0cker, also known as TorrentLocker. Several iterations of this sample have been spotted in the wild over the past two years. One of them appended one’s files with the .encrypted extension, another one used the .enc string instead.

HOW_TO_RESTORE_FILES.html ransom note by the new Crypt0L0cker

The most recent Crypt0L0cker campaign was unleashed in late November 2016. It’s steadily gaining momentum as of now. Having encoded personal files on a computer, the infection concatenates a random 6-character extension to every ciphered entry. The original filename and extension stay invariable, so the renaming algorithm returns a file structure like this: document.docx.nhewpz. In contrast to some of the prevalent ransomware specimens out there which completely scramble filenames, this onslaught doesn’t prevent victims from working out what items have been affected. Nevertheless, the data is encrypted with a military-grade cryptographic standard that doesn’t yield to commonplace recovery mechanisms.

Crypt0L0cker leaves ransom notes called HOW_TO_RESTORE_FILES.html and HOW_TO_RESTORE_FILES.txt. The infected users won’t find it difficult to locate them as they will appear both on the desktop and inside encrypted paths on the machine. These manuals contain the following warning:

Warning
We have encrypted your files with Crypt0L0cker virus

– a really straightforward way to explain what happened. Their main objective, though, is to instruct victims how they can get their precious data back. Those contaminated are bound to literally buy the decryption for Bitcoins. The ransom is payable through a secret Tor (The Onion Router) page, with the URL being provided in the ransom notes. The recovery page indicates the amount of cryptocurrency for the buyout, which is typically somewhere between 0.5-1 BTC.

The way this crypto malady spreads is a no-brainer. The felons at the helm of the new campaign spawn numerous variants of spam emails to deliver the ransomware payload. Because these messages look like regular ISP notifications, invoices, newsletters or subscription cancellation requests, quite a few recipients get curious and open the malign attachments. This is an ambush that will get the unsuspecting user infected in no time. If Crypt0L0cker has sneaked its way into a PC, chances are the files will be restored via forensic techniques.

Automatic removal of Crypt0L0cker virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Crypt0L0cker virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the Crypt0L0cker ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Crypt0L0cker virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Crypt0L0cker scanner and remover

The post Crypt0L0cker virus decrypt and removal tool appeared first on Keone Software.

Over the past few weeks, numerous computer users have been reporting ransomware attacks where files are encrypted and appended with the .wallet extension.

The concatenation of certain strings to filenames is one of the most explicit symptoms of a crypto ransomware compromise. This tactic is used to flag data entries that the troublemaking software holds hostage. Although this is an annoying encounter, it’s merely a concomitant effect. The inaccessibility of one’s personal information poses a much more serious predicament. Nonetheless, these extensions are like fingerprints and can shed light on the specific ransomware sample a user is confronted with. By knowing the strain, it may be possible to find a data restoration workaround. The .wallet extension, for instance, denotes the so-called Dharma ransomware family. Having encoded a victim’s files, this offending code variant adds the .[email_address].wallet string to each one. For instance, a document named Manual.pdf will assume a shape like Manual.pdf.[amagnus@india.com].wallet.

Encrypted .wallet extension files

There are several other extensions in Dharma’s arsenal, including .zzzzz and .dharma proper. The .wallet suffix, however, is the most widespread one at this point. The list of email addresses prepended to this extension is fairly broad as well. It includes interlock@india.com, amagnus@india.com, stopper@india.com, pay4help@india.com, worm01@india.com, funa@india.com, bitcoin143@india.com, lavandos@india.com, and lavandos@dr.com. The explanation of this is simple: there are multiple concurrent campaigns of Dharma ransomware distribution. Therefore, different cybercriminal groups indicate their contact details right in the crooked filenames. Keep in mind that no matter how illegal this business model is, it poses a huge darknet economy with its own affiliates, merchants, intermediaries and other interested parties.

The payload of the .wallet file virus mostly camouflages itself as an eye-catching email attachment, such as an invoice, job offer, banking fraud alert or ISP complaint. In other words, the fraudsters try to social-engineer users into opening the rogue email attachments. As soon as a targeted person opens one of these attached documents, the built-in JavaScript or VBA script instantly sets off the infection chain. Then, the ransomware determines what is to be encrypted on the computer’s hard disk and network shares. To this end, it scans all of these directories for popular formats of data.

The email address included in the affixed file attachments isn’t the only way to find out how to reach the adversary. The .wallet ransomware reiterates this information in the Readme.txt ransom notes, which are implanted into every folder with encrypted data. A copy will appear on the desktop as well. These notes with the decryption walkthrough are rather concise, only telling the victim that they got attacked and providing the email address to contact the hackers. Despite the fact that users can negotiate the size of the ransom, it normally won’t be lower than 1 Bitcoin. Instead of paying up and supporting the online extortion frenzy, first try the methods highlighted below.

Automatic removal of the .wallet file virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .wallet file virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .wallet files ciphered by the Dharma ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the .wallet virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download .wallet ransomware scanner and remover

The post .Wallet file virus: decrypt and remove Dharma ransomware appeared first on Keone Software.

When a ransomware variant called Locky infects a computer, it displays a warning message saying that all files are encrypted with RSA-2048 and AES-128 ciphers.

There are ransomware attack occurrences where online crooks deliberately exaggerate the strength of data encryption in order to make the predicament look scarier than it actually is. Inflating the entropy of the decryption key is a prime example of this manipulation. What about the Locky ransomware case? This strain replaces a victim’s desktop wallpaper with the _WHAT_is.bmp image that says,

“All of your files are encrypted with RSA-2048 and AES-128 ciphers”

Is this alert true? Unfortunately yes. The Locky cyber-baddie first applies the symmetric AES (Advanced Encryption Standard) cryptosystem, which generates a secret key applicable for encoding and decoding alike. To further protect this AES key from being retrieved by a victim, the ransomware then encrypts it using asymmetric RSA-2048 algorithm. This one is yet tougher to crack.

RSA-2048 and AES-128 ciphers as part of the intimidation tactic

It’s quite easy to avoid the Locky ransomware, because its intrusion usually requires certain direct action on a user’s end. More specifically, the contamination won’t take place unless a potential prey opens a booby-trapped email attachment. This infection paradigm involves a botnet-powered spam campaign and malicious scripts delivered with these phishing emails. The payload proper arrives with a ZIP file disguised as a receipt, curriculum vitae, bill, invoice, order information, cancellation request, or job offer. When an unsuspecting recipient unpacks this archive, they will see a random-named JS or VBS file. Once double-clicked, this script triggers the perpetrating code execution routine. Long story short, all it takes to stay away from this crypto infection is to click responsibly, especially when it comes to email attachments.

Locky Decryptor page containing ransom info

Before Locky gets down to encrypting one’s data, it determines what exactly is subject to this encryption. To do it, the ransomware silently scans the hard disk, removable drives and network shares, comparing every file it encounters against a build-in database of popular extensions. Having thus worked out what to scramble, the offending program makes the files inaccessible through the use of the aforementioned RSA-2048 and AES-128 cryptographic standards. Filenames get replaced with 32 characters that are followed by the .zepto, .odin, .thor, .osiris etc. extensions.

Ransom notes called _WHAT_is.html and _WHAT_is.bmp will appear on the desktop and inside affected folders. Their purpose is to notify the infected user what they must do to decrypt their personal data. The final destination in this extortion webwork is a Tor gateway titled the “Locky Decryptor page”. It provides the victim with down-to-earth details regarding the ransom size and the ways to pay it. The amount is typically 0.5 BTC, which equals 357 USD at this point. Every victim who is unwilling to pay this ransom – hopefully that’s the overwhelming majority – should follow some of the best practices of white hat file recovery.

Automatic removal of the RSA-2048 and AES-128 virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download RSA-2048 and AES-128 ransomware removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files encrypted with RSA-2048 and AES-128 ciphers

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the RSA-2048 and AES-128 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download RSA-2048 and AES-128 ciphers virus remover

The post RSA-2048 and AES-128 ciphers ransomware: derecrypt and restore appeared first on Keone Software.

Learn how to handle the Spora ransomware, a sophisticated cyber adversary featuring a number of unique characteristics and a flawless extortion mechanism.

What is Spora ransomware?

In IT security terms, Spora has come to denote a violent file-encrypting ransomware. The name is a transliterated variant of a Russian word for “spore”. The conceptual ties are obvious for victims and malware researchers. The contagion is very toxic and it proliferates with a high infection rate. This malicious entity started spreading at the beginning of 2017 and has since taken root firmly enough to become one of today’s most harmful ransom Trojans. It arrives at Windows computers via a botnet that’s leveraged to generate massive spam waves. The files attached to these misleading emails pretend to be invoices, scanned copies of important documents, or similar subjects that recipients are likely to get interested in opening. In fact, the attachments are obfuscated HTA files that, once triggered, drop a JavaScript object into the Temp path of a targeted system. Then, another round of extraction results in firing a random-named executable.

Spora ransomware alert

Once this routine has launched the Spora ransomware, the infection does a tricky maneuver. While the process run by the malign EXE object is scouting the plagued workstation for important data behind the scenes, the victim will see a Microsoft Word file pop up out of the blue. This document displays a warning dialog stating that the file is corrupted. This is a clever move aimed at distracting the user from what’s actually going on in the background. In the meantime, Spora is looking for data types that correspond to popular formats, such as .jpg, .jpeg, .pdf, .sqlite, .doc, .docx, .xls, .xlsx, .rar, .zip, .rtf and a slew of others. Every such file is subject to encryption with a fusion of RSA and AES cryptographic algorithms. As a result, these data entries become inaccessible. Unlike many other ransomware programs out there, the Spora virus does not modify filenames as part of the data mutilation process – there are no extra extensions added, nor is anything prepended to the original names. And yet, the victim will quickly realize that their files got broken, because the infection leaves a ransom note and a .KEY file on the desktop.

Victim dashboard called the Client Page

The decryption how-to is an HTML file whose name matches the victim ID. The latter is a unique string of 25 hexadecimal characters assigned to every contaminated computer. Having opened the ransom note, the user will be presented with a screen that says,

“All your work and personal files were encrypted
To restore data, obtaining guarantees and support,
follow the instructions in your account.”

The window contains a Personal Area section (https://spora.bz or https://spora.biz), which requires that the victim enters the above-mentioned identifier to log into their Client Page. This page is a professionally tailored user console providing language selection, different data recovery plans, the option of restoring 2 files for free, a live support section, and up-to-date information on the current payment status. It’s too bad such a user-friendly dashboard serves such a nasty purpose.

Interestingly, the Spora ransomware collects certain types of user data and, based on that, puts every victim into one of six categories. Different ransom sizes apply to each of these clusters, so the infection will demand less money from a home user than it will from an organization. What is more, the threat actors deliver quality tech support. The agents are responsive and may even disable the ransom payment deadline if the infected user agrees to leave a positive review about the service. All in all, online extortion is getting worse in terms of technical complexity and interaction with victims. Unfortunately, there is no automatic decryptor to restore files locked down by the Spora ransomware. The good news is that there are specially crafted techniques that may do the trick for some of the ciphered files.

Automatic removal of Spora ransomware virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Spora removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the Spora ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Spora virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Spora virus scanner and remover

The post Spora ransomware: decrypt files and remove virus appeared first on Keone Software.

Learn how the buydecrypt@qq.com ransomware manifests itself on a computer and get an efficient workaround to decrypt the scrambled .bip extension files.

No matter how sentimental and touching the phrase .bip may sound, it designates the name of an HTA application used by a truculent ransom Trojan. The parental contagion is called the DHarma, or Crysis, ransomware. This Delphi-based intruder sprinkles the above-mentioned ransom notes all over the computer that it infects. A copy of Info.hta file will definitely be created on the desktop as well as inside all folders the contents of which were subject to encryption. Other than the cartoonish warning interface (see screenshot below), the perpetrating program under consideration is fairly mundane. It utilizes a rather strong cryptographic standard to lock down a victim’s important files. These entries are easy to tell from the unaffected ones as they all have the .bip extension.

Contents of the Info.hta window

The Trojan concatenates this string to the original full filenames. For instance, it will transform a sample PowerPoint presentation named Flowchart.pptx into Flowchart.pptx.bip. Earlier versions of this ransomware used the .pegs1, .rare1, .mrcr1, or .rmcm1 extension. Appending certain characters to skewed files is common practice with data-encrypting maladies, providing a unique, fingerprintable attribute that allows differentiating one strain from another.

.BIP virus contaminates computers via spam. The campaign circles around the use of emails with malicious JavaScript or EXE files on board. The attackers may leverage a double extension trick, where a harmless-looking PDF document is actually an obfuscated executable. The themes of these emails are catchy enough to encourage recipients into opening the attachments. For instance, it may be a fake consumer complaint notification from the Federal Trade Commission, a receipt, or a cancellation request that requires urgent action by the user. Once the booby-trapped file is loaded, buydecrypt@qq.com ransomware stealthily hops inside the system and starts looking for potentially valuable data. Everything it finds then gets encoded with a custom cryptosystem and stained with the .bip extension. The next phase is to let the victim know why they cannot access their photos, documents, videos and other personal data entities.

The Info.hta application displays the warning proper, the time left before the decryption key is erased, and the malefactors’ contact details. The latter part includes the buydecrypt@qq.com email address and the @buydecrypt Telegram ID. By getting in touch with the bad guys, a victim will learn the amount of Bitcoin they need to send for recovery, the BTC wallet address, and the actual decryption steps to follow after the ransom has been submitted. Of course no one is willing to go through the painful buyout process. Luckily, the instructions below may allow those infected to avoid the worst-case scenario with the .bip ransomware.

Automatic removal of .bip file virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download BIP removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the buydecrypt@qq.com ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of .bip file virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download .BIP virus scanner and remover

The post .bip file ransomware decryptor: remove buydecrypt@qq.com virus appeared first on Keone Software.

The .thor extension denotes files encrypted by a new variant of Locky ransomware, which now creates _WHAT_is.html/.bmp ransom notes and demands 0.5 Bitcoins.

What is .THOR file virus?

The nuts and bolts of the illegal ransomware business is to distribute a Trojan that encrypts one’s personal data and then demand cryptocurrency for decryption. There are numerous families of these infections prowling the Internet. The Locky breed is currently somewhere on the apex of the digital extortion food chain. It has spawned five different versions since February 2016. The one dubbed Thor is the latest iteration, having emerged in late October and rapidly picking up the pace over the last few days. This edition got its name from the .thor extension that it affixes to the targeted files. Like its antecedent, it also drastically changes filenames, that is, the values that precede the extensions. Ultimately, Thor will turn a victim’s regular document, image, video or database into something like SU7DRHCB-EG3N-Y5GZ-00F1-6E1D0931FA25.thor.

_WHAT_is.html ransom note and desktop wallpaper changed by Thor virus

Recovery manuals tend to change with every new version of Locky. Its new sockpuppet creates several editions of the ransom notes, namely _WHAT_is.html, _WHAT_is.bmp, and _[random_number]_WHAT_is.html (e.g. _71_WHAT_is.html). The first two will appear on the desktop, and the one with a numeric value in its name is added to individual folders. The essentials of these instructions include the warning proper, according to which the user’s files are encrypted with RSA-2048 and AES-128 ciphers. Unfortunately, this is a truthful statement, therefore brute-forcing of the private keys is not a very realistic undertaking. Furthermore, the victim gets a couple of .tor2web.org and .onion.to links that resolve the Locky Decryptor page. Be advised these are only accessible via Tor Browser that ensures anonymization of online connections.

Locky Decryptor page with ransom payment tips

The aforementioned personal page is intended to streamline the process of paying the ransom. The bad guys leverage it to upsell a tool called the Locky Decryptor, where the price may vary but usually won’t exceed 0.5 Bitcoins. The use of digital cash is another anonymization component of the extortion routine that keeps the criminals from being tracked down and busted.

The circulation of the Thor ransomware in the wild is not as technically sophisticated as one might imagine. Rather than employ complex hacking techniques, the threat actors rely on social engineering and thus exploit human vulnerabilities, so to speak. It turns out, this vector has a high rate of successful malware installations. The spreading framework engages a massive phishing campaign. The targeted users receive legit-looking emails camouflaged as receipts, invoices, delivery reports and the like. Once a user double-clicks on the attached file, a covert VBS or JS script will download the Thor virus to the machine. The rest of the attack is mostly a matter of a series of obfuscated events that the victim isn’t likely to thwart. The Trojan scans the computer and the network for personal files, encrypts them and starts alerting the user via its ransom notes.

Although none of the Locky versions has been decryptable for free, and Thor is no exception, there is a glimmer of hope that users can get their files back. Use the self-help sections below to see if you can restore .thor files without paying up.

Automatic removal of the .thor virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .thor files virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .thor files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Thor (Locky) virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Thor ransomware scanner and remover

The post .THOR file virus ransomware decryptor and removal appeared first on Keone Software.

Files with .zzzzz extension are inaccessible because they are encrypted by the latest version of the Locky ransomware, which requests Bitcoins for decryption.

What is .zzzzz file ransomware?

It’s difficult to question the usefulness of cryptography. It has numerous benign applications in the realm of safeguarding sensitive data. The evolution of malicious software, however, caused this conventional state of things to turn upside down. When the scourge of ransomware emerged on the computer threats arena, it became obvious that the inherent strength of cryptographic algorithms had the evil potential to wreak havoc with users’ proprietary files rather than protect them. One of the data-encrypting hoaxes called Locky has become a buzzword that denotes an uncrackable ransomware on steroids. This family tends to continuously mutate, with distinct tweaks being made to its code and activity patterns every so often. In the course of the most recent update, Locky has assumed the form of a crypto infection that adds the .zzzzz extension to one’s files and drops the -INSTRUCTION.html and -INSTRUCTION.bmp ransom notes.

Multiple .zzzzz files and -INSTRUCTION.html ransom notes

The way the Locky/zzzzz ransomware infiltrates computers isn’t a matter of reinventing the wheel. Its operators are really good at social engineering, so they opt for a payload distribution tactic that relies entirely on human curiosity and gullibility. The carrier of the contagion is spam that delivers a ZIP archive with a malicious JavaScript file inside. The bad guys may disguise this attachment as a spam mailout log detailing the alleged offending activity from the recipient’s email account. There are other themes of these tricky messages, including bogus local company representation offers, CVs, receipts, invoices, paychecks and the like. A standalone campaign is being currently conducted via Facebook, where users receive a malware-tainted .svg photo that downloads the crypto baddie when opened.

The Zzzzz ransomware still redirects victims to invariable Locky Decryptor page

The Zzzzz virus literally fleets across a computer once the compromise has taken place. It scans the hard drive, removable media and all cloud drives for hundreds of data formats in order to locate the entries that matter to the victim the most. All files that match the ransomware’s built-in whitelist of targeted extensions then become crippled through the use of two different cryptosystems. The virus utilizes the RSA-2048 and AES-128 standards to make it impossible for the user to open, edit or otherwise process their personal files. On the outside, the changes are drastic as well: filenames get substituted with weird-looking lines of 32 hexadecimal chars suffixed by .zzzzz.

The ransomware creates the aforementioned -INSTRUCTION.html and -INSTRUCTION.bmp files on the desktop to tell the victim what they must do to decrypt their information. Additionally, a document named _[random_digits]-INSTRUCTION.html will be dropped into encrypted folders. According to these manuals, the user is supposed to download and install the Tor Browser bundle, copy and paste their personal recovery link into this anonymous web navigation client, and then follow the steps listed on the site called Locky Decryptor. In a nutshell, the buyout deal implies paying 0.5 Bitcoin to a specified cryptocurrency wallet and then downloading the automatic decryption software. No one can guarantee that the procedure will be as smooth as this, so think twice before submitting the money to the attackers. Try a few workarounds instead (see below). The applicable restoration methods revolve around forensic tools and file snapshots made by Windows earlier.

Automatic removal of the .zzzzz virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .zzzzz files virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .zzzzz files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the Zzzzz virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download .ZZZZZ file ransomware scanner and remover

The post How to decrypt .zzzzz files virus: Locky/zzzzz ransomware appeared first on Keone Software.

Although the authors of the new Osiris ransomware sell their decryptor to victims for Bitcoins, it may be possible to restore .osiris files in a different way.

What is OSIRIS ransomware?

The lineage of the Locky ransomware derivatives has been supplemented with another sample lately. The currently active objectification of this uncrackable strain uses the .osiris extension to brand all encrypted files, hence the name of the edition. The new extension, though, is not the only change visible to the naked eye. The Osiris variant also leaves a different set of ransom notes. As opposed to the previous iteration, the ransomware now leverages one format for the data recovery manual. It creates help files called OSIRIS-[4_chars].htm, where the variable string is composed of random hexadecimal characters. Yet another evident alteration is the pattern of jumbled filenames, which now consist of 5 groups of characters separated by double hyphens.

Osiris ransomware attack is a scary predicament

Just like before, the Osiris file virus embeds a graphical edition of the ransom note into the victim’s preferred desktop wallpaper. The scary effect from this activity is intended to make the infected user scrutinize the decryption steps even if they don’t open the HTM ransom notes. According to the walkthrough, the recovery presupposes that the user installs Tor Browser and visits their personal Locky Decryptor Page. The use of this particular browser, rather than a regular one, makes the traffic anonymous and therefore keeps the attackers from being tracked down.

When on the Locky Decryptor Page, the victim will see a bunch of links to Internet resources that provide Bitcoin exchange services. By purchasing 0.5 BTC and sending the cryptocurrency to the adversary’s Bitcoin address, the user will supposedly be able to get the automatic decryption tool that’s claimed to reinstate all the .osiris files on the plagued computer.

Locky Decryptor Page design

The Osiris ransomware is spreading via a social engineering hoax. The threat actors in charge have launched a massive spam campaign disseminating contagious Excel documents to thousands of people around the globe. The spreadsheet attached to these emails is disguised as an invoice. If a user chooses to open this .xls file, what they will see is a blank document that generates a security warning. This notification says that macros have been disabled and recommends the user to click the “Enable Content” button. By hitting this button, the victim unwittingly activates a macro that downloads a DLL installer of the Osiris infection.

Unfortunately, the cryptographic side of Osiris is immaculate. Therefore, there is no way to circumvent the RSA-2048 and AES-128 algorithmic hurdle unless the private RSA key is added to the mix. This decryption key resides offsite, so the attacker is the only one who has it. Nevertheless, it may be possible to get .osiris files back by means of alternative recovery mechanisms.

Automatic removal of the Osiris virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .osiris file virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .osiris files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the Osiris virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Osiris ransomware scanner and remover

The post OSIRIS virus: files decryption and ransomware removal appeared first on Keone Software.

A new 2016 version of the Cryptolocker virus is in rotation, leaving ‘Your files are locked !.txt’ ransom notes and providing email address for more instructions.

What is Cryptolocker virus?

The cybercriminals engaging in today’s most nefarious rip-off scheme don’t seem to stop coining spinoffs of Cryptolocker, one of the earliest samples of file-encrypting ransomware. Its reputation, obviously, encourages crooks to follow suit and even dub their perpetrating products the same way. The latest contrivance in the range of these copycats is a Cryptolocker variant that creates ransom notes called “Your files are locked !.txt”. This user interface of this sample also contains a couple of support emails, which may include suppteam03@india.com, suppteam03@yandex.com, suppcop@india.com, or suppcop@yandex.ru. The ransomware pane also features a ticking timer that indicates the deadline for paying the ransom so that the victim’s files can be decrypted. Interestingly, filenames do not change as a result of this attack.

New Cryptolocker ransomware window

Researchers have labeled this particular strain as PClock. It intimidates the infected users with a warning that reads

Your personal files encryption produced on this computer: photos, videos, documents, etc. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt your files you need to obtain the private key.

Unfortunately, this alert does reflect the actually state of things. The new Cryptolocker 2016 leverages a strong asymmetric cryptosystem that cannot be cracked unless a unique private key is at the victim’s disposal. This chunk of data resides on the criminals-controlled server. So the compromise is certainly a huge predicament that results in the inaccessibility of an infected users’ personal data.

Your files are locked !.txt ransom manual

Computer users reportedly discover that their files have become locked after they visit their usual sites, including social networks, anime web pages and other resources providing streaming content. This fact points to a drive-by vector of the attacks. Most of the time, the would-be victims get persistent popups from the page they are on. This is a way to masquerade the malicious payload as if it were some routine request that needs authorization. In some cases, though, the ransomware arrives with spam. The attachments, which are disguised a payrolls, receipts, complaints and the like, evoke natural curiosity of the recipients. Once opened, they execute the infection.

Again, the criminals in charge of the updated Cryptolocker 2016 implement the cryptographic part of their attacks professionally. Therefore, experts have not found any algorithmic flaws as of yet, which means that data decryption isn’t possible unless the user has the relevant RSA key. The ransom walkthroughs explicated in “Your files are locked !.txt” documents tell the victim to submit 0.55-0.85 Bitcoin to their wallet. Then, the user is supposed to send an email to one of the support addresses in the ransom notes (suppteam03@india.com, suppteam03@yandex.com, suppcop@india.com, or suppcop@yandex.ru) in order to get further directions from the threat actors. Rather than start with this method, though, it’s recommended to try alternative techniques first. See below for details.

Automatic removal of Cryptolocker (Your files are locked !.txt) virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Cryptolocker removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the Cryptolocker ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the Cryptolocker virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Cryptolocker virus scanner and remover

The post Decrypt Cryptolocker 2016 virus ransomware appeared first on Keone Software.

Get up-to-date information about the latest edition of the Crypt0L0cker ransomware and restore random 6-character extension files encrypted by this infection.

What is Crypt0L0cker ransomware?

Crypt0L0cker is one of the oldest copycats of the ransomware strain that came to denote file-encrypting malware as such. Its prototype called CryptoLocker is associated with the first major outbreak of this perpetrating software cluster in general. Discovered back in 2013, the infrastructure behind the original variant was dismantled in the course of a law enforcement effort dubbed Operation Tovar in May 2014. However, the malicious business model ended up moving on afterwards. The most harmful and widespread adherent of the bad craft was Crypt0L0cker, also known as TorrentLocker. Several iterations of this sample have been spotted in the wild over the past two years. One of them appended one’s files with the .encrypted extension, another one used the .enc string instead.

HOW_TO_RESTORE_FILES.html ransom note by the new Crypt0L0cker

The most recent Crypt0L0cker campaign was unleashed in late November 2016. It’s steadily gaining momentum as of now. Having encoded personal files on a computer, the infection concatenates a random 6-character extension to every ciphered entry. The original filename and extension stay invariable, so the renaming algorithm returns a file structure like this: document.docx.nhewpz. In contrast to some of the prevalent ransomware specimens out there which completely scramble filenames, this onslaught doesn’t prevent victims from working out what items have been affected. Nevertheless, the data is encrypted with a military-grade cryptographic standard that doesn’t yield to commonplace recovery mechanisms.

Crypt0L0cker leaves ransom notes called HOW_TO_RESTORE_FILES.html and HOW_TO_RESTORE_FILES.txt. The infected users won’t find it difficult to locate them as they will appear both on the desktop and inside encrypted paths on the machine. These manuals contain the following warning:

Warning
We have encrypted your files with Crypt0L0cker virus

– a really straightforward way to explain what happened. Their main objective, though, is to instruct victims how they can get their precious data back. Those contaminated are bound to literally buy the decryption for Bitcoins. The ransom is payable through a secret Tor (The Onion Router) page, with the URL being provided in the ransom notes. The recovery page indicates the amount of cryptocurrency for the buyout, which is typically somewhere between 0.5-1 BTC.

The way this crypto malady spreads is a no-brainer. The felons at the helm of the new campaign spawn numerous variants of spam emails to deliver the ransomware payload. Because these messages look like regular ISP notifications, invoices, newsletters or subscription cancellation requests, quite a few recipients get curious and open the malign attachments. This is an ambush that will get the unsuspecting user infected in no time. If Crypt0L0cker has sneaked its way into a PC, chances are the files will be restored via forensic techniques.

Automatic removal of Crypt0L0cker virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Crypt0L0cker virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the Crypt0L0cker ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Crypt0L0cker virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Crypt0L0cker scanner and remover

The post Crypt0L0cker virus decrypt and removal tool appeared first on Keone Software.

Over the past few weeks, numerous computer users have been reporting ransomware attacks where files are encrypted and appended with the .wallet extension.

The concatenation of certain strings to filenames is one of the most explicit symptoms of a crypto ransomware compromise. This tactic is used to flag data entries that the troublemaking software holds hostage. Although this is an annoying encounter, it’s merely a concomitant effect. The inaccessibility of one’s personal information poses a much more serious predicament. Nonetheless, these extensions are like fingerprints and can shed light on the specific ransomware sample a user is confronted with. By knowing the strain, it may be possible to find a data restoration workaround. The .wallet extension, for instance, denotes the so-called Dharma ransomware family. Having encoded a victim’s files, this offending code variant adds the .[email_address].wallet string to each one. For instance, a document named Manual.pdf will assume a shape like Manual.pdf.[amagnus@india.com].wallet.

Encrypted .wallet extension files

There are several other extensions in Dharma’s arsenal, including .zzzzz and .dharma proper. The .wallet suffix, however, is the most widespread one at this point. The list of email addresses prepended to this extension is fairly broad as well. It includes interlock@india.com, amagnus@india.com, stopper@india.com, pay4help@india.com, worm01@india.com, funa@india.com, bitcoin143@india.com, lavandos@india.com, and lavandos@dr.com. The explanation of this is simple: there are multiple concurrent campaigns of Dharma ransomware distribution. Therefore, different cybercriminal groups indicate their contact details right in the crooked filenames. Keep in mind that no matter how illegal this business model is, it poses a huge darknet economy with its own affiliates, merchants, intermediaries and other interested parties.

The payload of the .wallet file virus mostly camouflages itself as an eye-catching email attachment, such as an invoice, job offer, banking fraud alert or ISP complaint. In other words, the fraudsters try to social-engineer users into opening the rogue email attachments. As soon as a targeted person opens one of these attached documents, the built-in JavaScript or VBA script instantly sets off the infection chain. Then, the ransomware determines what is to be encrypted on the computer’s hard disk and network shares. To this end, it scans all of these directories for popular formats of data.

The email address included in the affixed file attachments isn’t the only way to find out how to reach the adversary. The .wallet ransomware reiterates this information in the Readme.txt ransom notes, which are implanted into every folder with encrypted data. A copy will appear on the desktop as well. These notes with the decryption walkthrough are rather concise, only telling the victim that they got attacked and providing the email address to contact the hackers. Despite the fact that users can negotiate the size of the ransom, it normally won’t be lower than 1 Bitcoin. Instead of paying up and supporting the online extortion frenzy, first try the methods highlighted below.

Automatic removal of the .wallet file virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download .wallet file virus removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .wallet files ciphered by the Dharma ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the .wallet virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download .wallet ransomware scanner and remover

The post .Wallet file virus: decrypt and remove Dharma ransomware appeared first on Keone Software.

When a ransomware variant called Locky infects a computer, it displays a warning message saying that all files are encrypted with RSA-2048 and AES-128 ciphers.

There are ransomware attack occurrences where online crooks deliberately exaggerate the strength of data encryption in order to make the predicament look scarier than it actually is. Inflating the entropy of the decryption key is a prime example of this manipulation. What about the Locky ransomware case? This strain replaces a victim’s desktop wallpaper with the _WHAT_is.bmp image that says,

“All of your files are encrypted with RSA-2048 and AES-128 ciphers”

Is this alert true? Unfortunately yes. The Locky cyber-baddie first applies the symmetric AES (Advanced Encryption Standard) cryptosystem, which generates a secret key applicable for encoding and decoding alike. To further protect this AES key from being retrieved by a victim, the ransomware then encrypts it using asymmetric RSA-2048 algorithm. This one is yet tougher to crack.

RSA-2048 and AES-128 ciphers as part of the intimidation tactic

It’s quite easy to avoid the Locky ransomware, because its intrusion usually requires certain direct action on a user’s end. More specifically, the contamination won’t take place unless a potential prey opens a booby-trapped email attachment. This infection paradigm involves a botnet-powered spam campaign and malicious scripts delivered with these phishing emails. The payload proper arrives with a ZIP file disguised as a receipt, curriculum vitae, bill, invoice, order information, cancellation request, or job offer. When an unsuspecting recipient unpacks this archive, they will see a random-named JS or VBS file. Once double-clicked, this script triggers the perpetrating code execution routine. Long story short, all it takes to stay away from this crypto infection is to click responsibly, especially when it comes to email attachments.

Locky Decryptor page containing ransom info

Before Locky gets down to encrypting one’s data, it determines what exactly is subject to this encryption. To do it, the ransomware silently scans the hard disk, removable drives and network shares, comparing every file it encounters against a build-in database of popular extensions. Having thus worked out what to scramble, the offending program makes the files inaccessible through the use of the aforementioned RSA-2048 and AES-128 cryptographic standards. Filenames get replaced with 32 characters that are followed by the .zepto, .odin, .thor, .osiris etc. extensions.

Ransom notes called _WHAT_is.html and _WHAT_is.bmp will appear on the desktop and inside affected folders. Their purpose is to notify the infected user what they must do to decrypt their personal data. The final destination in this extortion webwork is a Tor gateway titled the “Locky Decryptor page”. It provides the victim with down-to-earth details regarding the ransom size and the ways to pay it. The amount is typically 0.5 BTC, which equals 357 USD at this point. Every victim who is unwilling to pay this ransom – hopefully that’s the overwhelming majority – should follow some of the best practices of white hat file recovery.

Automatic removal of the RSA-2048 and AES-128 virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download RSA-2048 and AES-128 ransomware removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files encrypted with RSA-2048 and AES-128 ciphers

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of the RSA-2048 and AES-128 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download RSA-2048 and AES-128 ciphers virus remover

The post RSA-2048 and AES-128 ciphers ransomware: derecrypt and restore appeared first on Keone Software.

Learn how to handle the Spora ransomware, a sophisticated cyber adversary featuring a number of unique characteristics and a flawless extortion mechanism.

What is Spora ransomware?

In IT security terms, Spora has come to denote a violent file-encrypting ransomware. The name is a transliterated variant of a Russian word for “spore”. The conceptual ties are obvious for victims and malware researchers. The contagion is very toxic and it proliferates with a high infection rate. This malicious entity started spreading at the beginning of 2017 and has since taken root firmly enough to become one of today’s most harmful ransom Trojans. It arrives at Windows computers via a botnet that’s leveraged to generate massive spam waves. The files attached to these misleading emails pretend to be invoices, scanned copies of important documents, or similar subjects that recipients are likely to get interested in opening. In fact, the attachments are obfuscated HTA files that, once triggered, drop a JavaScript object into the Temp path of a targeted system. Then, another round of extraction results in firing a random-named executable.

Spora ransomware alert

Once this routine has launched the Spora ransomware, the infection does a tricky maneuver. While the process run by the malign EXE object is scouting the plagued workstation for important data behind the scenes, the victim will see a Microsoft Word file pop up out of the blue. This document displays a warning dialog stating that the file is corrupted. This is a clever move aimed at distracting the user from what’s actually going on in the background. In the meantime, Spora is looking for data types that correspond to popular formats, such as .jpg, .jpeg, .pdf, .sqlite, .doc, .docx, .xls, .xlsx, .rar, .zip, .rtf and a slew of others. Every such file is subject to encryption with a fusion of RSA and AES cryptographic algorithms. As a result, these data entries become inaccessible. Unlike many other ransomware programs out there, the Spora virus does not modify filenames as part of the data mutilation process – there are no extra extensions added, nor is anything prepended to the original names. And yet, the victim will quickly realize that their files got broken, because the infection leaves a ransom note and a .KEY file on the desktop.

Victim dashboard called the Client Page

The decryption how-to is an HTML file whose name matches the victim ID. The latter is a unique string of 25 hexadecimal characters assigned to every contaminated computer. Having opened the ransom note, the user will be presented with a screen that says,

“All your work and personal files were encrypted
To restore data, obtaining guarantees and support,
follow the instructions in your account.”

The window contains a Personal Area section (https://spora.bz or https://spora.biz), which requires that the victim enters the above-mentioned identifier to log into their Client Page. This page is a professionally tailored user console providing language selection, different data recovery plans, the option of restoring 2 files for free, a live support section, and up-to-date information on the current payment status. It’s too bad such a user-friendly dashboard serves such a nasty purpose.

Interestingly, the Spora ransomware collects certain types of user data and, based on that, puts every victim into one of six categories. Different ransom sizes apply to each of these clusters, so the infection will demand less money from a home user than it will from an organization. What is more, the threat actors deliver quality tech support. The agents are responsive and may even disable the ransom payment deadline if the infected user agrees to leave a positive review about the service. All in all, online extortion is getting worse in terms of technical complexity and interaction with victims. Unfortunately, there is no automatic decryptor to restore files locked down by the Spora ransomware. The good news is that there are specially crafted techniques that may do the trick for some of the ciphered files.

Automatic removal of Spora ransomware virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button

Download Spora removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by the Spora ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Spora virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

• Previous Versions feature
  Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
• Shadow Explorer applet
  It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Spora virus scanner and remover

The post Spora ransomware: decrypt files and remove virus appeared first on Keone Software.