Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2020

How to remove Avest ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Jake Doevan · Computer technology expert

Avest ransomware is a decryptable crypto-malware that appends .Pack14 marking after file locking process

Avest ransomware

Avest ransomware (also known as Pack14 ransomware) is a computer virus that sneaks into the machine via spam email attachments, software cracks, unprotected Remote Desktop connection, software vulnerabilities,[1] fake updates, and other deceptive methods. Once inside, the malware uses a taskkill.exe command to shut down MS Office, Notepad and other files that might be running on the system, and then begins the encryption process. In this way, picture, document, database, image, PDF, and other commonly used files can no longer be accessed, and also receive an extension .pack14 at the end.

Besides triggering the encryption process, Avest ransomware also contacts a remote server to send the key that is required for file retrieval process and drops a ransom note !!!Readme!!!Help!!!.txt which asks users to contact hackers via data1992@protonmail.com and send the provided ID.

While it is unknown what sum of money Avest virus developers ask for, paying them would be an enormous waste of money, as the security team at Emsisoft released a working free decryption tool that can recover all the encrypted data for free. However, be sure to remove Avest ransomware before proceeding with the recovery process – we explain how at the bottom of this post.

Name Avest ransomware
Type Cryptovirus – malware based on money extortion
Also known as This virus family is often called Pack14 ransomware due to the extension it appends to the hijacked data
File extension Avest ransomware appends .pack14 file extension at the very end, although the full appendix looks as follows: .ckey(random_ID).email(data1992@protonmail.com).pack.14
Related files The executable used by malware to start the infection process of the computer is usually called installer.exe, antimalware.exe, office64.exe or avst.exe, although a random name can be used as well
Ransom note  Malware drops !!!Readme!!!Help!!!.txt into each of the folders where the encrypted files are located
Contact To recover the all the locked personal files, users are asked to email crooks via data1992@protonmail.com
Peculiarities The name of the ransomware is identical to the one that a Belorussian IT company goes by – ZAO Avest
AV detections[2]
  • TR/Ransom.qqmqn
  • Trojan.MSIL.Encoder.j!c
  • Trojan.GenericKD.41643801 (B)
  • Ransom.FileCryptor
  • W32.Trojan.MSIL.Encoder
  • HEUR:Trojan-Ransom.MSIL.Encoder.gen
  • Mal/Generic-S, etc.
Removal While removing ransomware manually is possible, you should rely on automatic tools for the process. We suggest using FortectIntego, SpyHunterCombo Cleaner, MalwarebytesMalwarebytes or another reputable anti-malware software that can detect and delete all the malicious components from the machine
Data recovery There is no point paying cybercriminals, as there is a working free decryptor offered by Emsisoft. If it does not work for some reason, try alternative methods for data recovery we provide in our recovery section below

The activity of Avest ransomware was first spotted in early September 2019. While this malware does not seem to have any similarities or connections to other ransomware strains, it tries to imitate the name of Belorussian IT company ZAO Avest which specializes in cryptographic software development. Nevertheless, it is highly unlikely that Pack14 ransomware developers have anything to do with the mentioned corporation.

It is not the first time, however, when ransomware developers used reputable names of companies or high-profile figures as the name of heir malicious software; for example, Spyhunter ransomwareCSGO ransomwareDonald Trump ransomware, and many others. In most of the cases, hackers most likely want to mock the person/company they are trying impersonate, or deliberately confuse victims – the latter is the most likely cause for the Avest ransomware name.

Pack14 ransomware

Once inside the system, Avest ransomware performs a variety of system changes and deletes Shadow Volume Copies to complicate the recovery process. After that, the virus scans the machine for files to encrypt, and it targets the most common ones, such as .pdf, .docx, .html, .jpg, .mp4, and many others. Thus, it turns a picture.jpg into a picture.jpg.ckey(ubjjnsty).email(data1992@protonmail.com).pack14, and it can no longer be opened.

After the encryption, Pack14 ransomware drops a ransom note which is a brief message from hackers:

Problems with your data? Contact us: data1992@protonmail.com
key: ubjjnsty

As we previously mentioned, there is no need to contact cybercriminals behind Avest virus, as a free decryption tool exists. Besides, paying criminals would only fund their activities and prove to them that their illegal business model works.

Thus, check out a full guide on how to decrypt files in our recovery section below. However, make sure you initiate a full Avest ransomware removal first, otherwise, the decoding process will be useless. For that, you should employ anti-malware software and scan your system thoroughly. For the job, we suggest using FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.

Avest ransomware encrypted files

Most common ransomware distribution methods in the wild

In most of the cases, hackers employ multiple distribution tactics in order to infect as many victims as possible, as it increases the chances of payment in Bitcoin or another cryptocurrency. While some methods might be more sophisticated then the others, the main vector when it comes to computer infection is human – careless online behavior and inadequate protection measures can easily result in ransomware or other malware infection.

Because this ransomware version is decryptable, you can recover from it relatively easily. However, most of the other infected users are not so lucky, as crypto viruses rarely receive free decryption tools. Thus, if you get infected again with a treat such as .nesa, .nemty, .karl or similar, file recovery will most likely be impossible.

To prevent ransomware infections in the future, make sure you follow these simple tips provided by experts in the security field:[3]

  • Install comprehensive anti-malware software and keep it up to date;
  • Patch your operating system and all the installed programs with latest security updates immediately after they are released;
  • Do not open email spam – attachments that ask for a macro function to be enabled are the ones to stay away from;
  • Do not download cracks and pirated software, as the installers can be often ridden with malware;
  • Enable ad-block (although do not forget to add exceptions for sites you want to support);
  • When using Remote Desktop, protect it with a secure password and avoid the default port 3389;
  • Use strong passwords and for all your accounts and enable two-factor authentication where possible;
  • Do not ignore your anti-virus software warnings;
  • Backup your files to mitigate the damage done by ransomware.

Get rid of Pack14 ransomware using anti-malware software: access Safe Mode if required

As we previously mentioned, Pack14 ransomware removal is indeed possible to achieve manually. However, this action requires an extensive computer and IT knowledge, as malware makes significant changes to the infected systems. Therefore, you should rather employ professional anti-malware software and perform a full system scan – it should detect Avest ransomware and take care of its termination.

Avest ransomware mimics a company name

However, in some cases, Pack14 file virus might interfere with the correct operation of security software. In such a case, you should enter Safe Mode with Networking – please check step-by-step instructions below. After you remove Avest ransomware from your machine, download the decryption tool and recover all your files for free. 

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.