Exotic ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware
12

Exotic ransomware wants $50 from you

Exotic virus, which is developed by German coder EvilTwin, is actually a ransomware-type computer infection that encrypts files and demands payment in exchange for the decryption software. Its authors have released even three different versions of this ransomware. Once installed, it terminates cmd, taskmgr, procexp, procexp64, regedit, msconfig, and CCleaner64 processes, and then checks Desktop, My Music, My Videos, Personal, Contacts, Downloads, My Pictures folders, which are located in %USERPROFILE%. The virus then encrypts all files, including .exe files, with an undefeatable encryption (it uses AES-128 cipher), and adds .exotic file extension to every file it touches. It is worth noting that malware double-checks these folders for new files, and encrypts them as well. Then it displays a pop-up message called “Crypto,” which says:

Windows are infected, by the EXOTIC virus!
Try to Kill or Delete me I will kill your PC!
Have a nice day =)

The pop-up message provides the OK button, and once the victim clicks on it, the ransom note appears on the screen. It seems that authors of this filthy ransomware really do not watch their mouths because they include many vulgar words in this note. The ransom note launches in a new window which is called “You got fu*ked by EXOTIC SQUAD!,” and displays the following information:

All your files have been encrypted!
Hello, all your Computer files have been encrypted. But, don’t worry! I haven’t deleted them all. So you have 7 2 hours to pay 50 USD in Bitcoins to my Bitcoin Address to get your files back! Every 5 hours files will be deleted. After 72 hours all that are left will be deleted! We will format your hard-drive when you restart your computer! The Timer starts now! Don’t fu*k with EXOTIC SQUAD!

As you can see, the ransomware virus demands 50 USD within 72 hours, otherwise, the decryption key needed for data restoration will be deleted. Besides, just like the infamous JigSaw ransomware, Exotic Squad virus promises to remove some files every 5 hours of non-payment, and in case the victim does not pay the ransom within 72 hours, the rest of the encrypted data gets erased all at once. When the counter reaches 0, the ransomware reboots the computer automatically, but here’s where the ransomware author failed. Ransomware copies itself to Startup directory to start itself automatically as soon as the computer prepares itself to function, but “unfortunately” this virus is designed to encrypt .exe files, so it encrypts the ransomware’s executive file as well and it becomes useless. 

If you have been infected with this nasty ransomware, we recommend you to remove Exotic virus with the anti-malware tool like Reimage, and not pay the ransom for the criminals. Speaking from experience, we can say that viruses which look scary and display frightening messages usually are not that dangerous, because their authors typically lack professional coding skills, because it is much easier to write some text in a pop-up window than to code a program that can strongly encrypt files. This virus looks like one of those who are likely to be cracked soon, so we suggest you backup the encrypted data and be patient. For Exotic removal, use instructions presented below. Delete the virus as soon as you can to prevent it from deleting your files.

Exotic ransomware attack

The developer of this ransomware attempts to reach out to malware researchers

This case of ransomware is rather interesting because while typical ransomware authors tend to stay as anonymous as possible, the developer of this one, known as EvilTwin, wants to communicate with malware researchers and has even provided them with an example of Exotic 2.0 ransomware virus and possibly with Exotic 3.0 ransomware virus. The e-mail of the author is exotic.eviltwin@yandex.com. According to the EvilTwin, malware researchers got his “test ransomware” and his final is a “bada*s.” This is clearly a threat, and it is likely that another example of this virus is going to show up shortly. Therefore, we advise computer users to stay alerted and protect their computers from ransomware by installing an anti-malware program and creating a data backup.

Exotic versions released by EvilTwin

So far two different versions have been discovered, although there might be more shortly. At the moment, known Exotic malware versions are these:

Exotic 2.0 ransomware. The second version of this ransomware project asks for $50 as a ransom and is based on traditional pay-the-ransom-get-files-back strategy. It encrypts files with a tricky algorithm, supplements them with .exotic file extensions, leaves How-to-restore.txt ransom note on the desktop, and launches a program entitled “You got fu*cked by EVILTWIN!,” which types the ransom note on the screen and showcases a countdown clock. It threatens the victim to delete some files every 5 hours of non-payment and finally erase the rest of them after 72 hours. The ransomware should be erased with anti-malware tool since it has no uninstaller. Inexperienced computer users should not attempt to remove the virus manually because in order to entirely delete the virus, victims should delete numerous files that are entitled with trustworthy filenames and also alter Windows Registry, which is a difficult thing to do.

Exotic 3.0 ransomware. The third version no longer threatens the victim to erase the files, but demands for the same $50 ransom, which should be paid in Bitcoins to the same Bitcoin address. Exotic 3.0 virus appends .exotic extensions to encrypted files to make them recognizable, and sadly it seems that encryption that this virus applies to target files is nearly impossible to crack. It means that files cannot be decrypted without a special decryption key, but we do not recommend you to pass your money to victims because according to recent researchers, even 20% of victims who paid the ransom never got the decryption software. We believe that it is a reasonable basis not to pay the ransom.

Distribution techniques

Malware can infect your PC using various techniques. Probably the most popular ways are these:

  • Sending malicious email attachments to victims or including infectious links in email messages;
  • Using exploit kits placed on harmful websites;
  • Pushing fake software updates;
  • Malvertising.

Although ransomware authors try to apply new methods of malware distribution, the most efficient one remains the same. Victims still open malicious emails without even inspecting who the sender is. Criminals are so advanced that they can insert a malicious script into a safe-looking Word or JS file, while in the past the only way to infect computers was to make the victim open a .exe file.

Remove Exotic virus entirely

Please do not listen what this malicious Exotic virus says. It attempts to frighten you and make you believe that restarting the computer will “kill it.” You have to start your computer in a Safe Mode with Networking, so please carefully read the instructions presented below or ask someone else to start your PC in a Safe Mode with Networking if you do not know how to do it. Then, you will be able to install an anti-malware tool and complete Exotic removal then. We highly recommend you to employ an automatic virus removal software and not to remove Exotic virus manually as this can result in failure, and then the virus might actually delete all files by formatting the hard drive. Be careful!

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Exotic ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Exotic ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Exotic ransomware virus snapshot
Ransom note by Exotic 2.0 ransomware virusRansom note by Exotic 3.0 ransomware virus

Manual Exotic virus Removal Guide:

Remove Exotic using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Exotic

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Exotic removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Exotic using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Exotic. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Exotic removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Exotic from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Exotic, you can use several methods to restore them:

Recover .exotic files with Data Recovery Pro

Although this is not the official decryption tool, you can try to run Data Recovery Pro and give it a chance to fix your files. We strongly recommend you to create a data backup before applying this technique.

Explore Volume Shadow Copies with ShadowExplorer

If Exotic Squad virus authors were not attentive enough, they could miss one important step when creating this ransomware. Sometimes, ransomware authors forget to insert a function that deletes Volume Shadow Copies, which can be used to restore encrypted data.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Exotic and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author


  • Tod

    Theres a version 2 already

  • Rizzle

    Ridiculous virus. Are the developers of it trying to sound gangsta or what? Just funny. Not gonna pay.

  • mandy

    Recovered my files from backup…. stupid virus if i met its authors I would laugh at his/hers face.

    • Eliiott

      i KNOW RIGHT! I have also been attacked but removed the Exotic virus with antivirus program quickly. I dont care about files – didnt keep anything important in my computer