Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2020

How to remove Charmant ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Gabriel E. Hall · Passionate web researcher

Charmant ransomware is a new malware developed by unknown actors who offer establishing contact with victims via email or Jabber

Charmant ransomware

Charmant ransomware is a new variant of a GarrantyDecrypt virus and was first spotted attacking companies in late December 2019. The malware uses typical techniques to extort money from the infected victims – it locks all personal data (also appends .charmant marker to videos, music, photos, documents, etc.) and then demands ransom in Bitcoin in return for the Charmant ransomware decryption tool.

Charmant virus also drops a ransom note named #RECOVERY#.txt which is dropped into each of the folders where encrypted files are located. The intention of hackers is to ensure that victims are aware of what happened to their computers and files, so that they would be able to start negotiations about the ransom. However, unlike most other malware, Charmant ransomware developers not only provide the contact email (charmant@firemail.cc) but also Jabber/Pidgin account charmant@jabb.im.

Name Charmant ransomware
Type File locking virus, crypto-malware
Family It belongs to GarrantyDecrypt ransomware which was first spotted in October 2018 and since then released multiple variants
Encryption algorithm  Advanced Encryption Algorithm (AES) is used to lock all pictures, videos, documents, databases, and other non-system and non-executable files 
File extension  Each file is appended with .charmant appendix, for example, a “picture.jpg” is converted into “picture.jpg.charmant” after the encryption
Ransom note  #RECOVERY#.txt is dropped into each of affected files' folders
Main targets Organisations and businesses, although it does not mean that regular users cannot be infected as well
Propagation methods Malware can be spread via insecure RDP connections, phishing emails, brute-force attacks, and other ways
Removal To get rid of malware, scan your machine in Safe Mode with Networking
File decryption

Without data backups, there is no 100% secure way of retrieving your data without risks. Other file recovery methods include:

  • paying criminals (not recommended)
  • using data recovery software
  • waiting for security researchers to create a decryption tool (might not be possible)
System remediation In case your Windows is struggling due to errors and BSODs, it means that malware managed to damage system files. In order to fix them, you would either have to reinstall Windows or use PC repair tool FortectIntego

Ransomware such as Charmant virus works on a simple principle: it uses a secure encryption algorithm AES to encrypt data and then demands a payment for the tool that could unlock all the files. AES (Advanced Encryption Standard) is a symmetric encryption method[1] that uses the same (but a secret) key to lock and unlock data. To retrieve it, victims are asked to pay a ransom in Bitcoin, and hackers may or may not send it back afterward.

Because there are very few instances of Charmant ransomware infections, it is yet unknown what methods threat actors are using to propagate the virus. While the malware sample is yet to be analyzed, it is clear that the virus is attacking not only regular users but also organizations – it encrypts all data on the initial machine which got infected, as well as on all the networked drives it is connected to.

Charmant ransomware authors most likely use the following distribution methods, based on their target choices:

  • Unprotected Remote Desktop connections[2]
  • Software vulnerabilities
  • Targeted phishing emails

Nevertheless, there are several other techniques that can be used by criminals to infect random targets, including spam emails, software cracks, fake updates, web injects, backdoors, etc. Regardless of the infection methods, victims will have to take of Charmant ransomware removal – and better to do it sooner than later, as malware might be inserted into the machine in a bulk or an already established virus might be used to install other malicious payloads.

Charmant ransomware virus

Thus, there is a chance that Charmant ransomware is not the only infection on the system, and other parasites can be used for gathering sensitive information such as banking details, social security numbers, driver's license data, etc. To remove Charmant ransomware, you should use powerful security software like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.

To ensure that users are aware of what happened to their computers and increase chances of payment, Charmant virus drops #RECOVERY#.txt file into each folder. It reads:

All your files have been ENCRYPTED!!!
Write to our email – charmant@firemail.cc
Or contact us via jabber – charmant@jabb.im
Jabber (Pidgin) client installation instructions, you can find on youtube – https://www.youtube.com/results?search_query=pidgin+jabber+install
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
tell your unique ID

By analyzing the ransom note as well as encrypted files, security experts managed to find connections to the GarrantyDecrypt ransomware. However, that serves little to those infected, as their files cannot be decrypted securely unless backups were made before the infection occurred.

If you have no backups stored on a remote server (note that if backups are not stored correctly, malware can also encrypt them as well), retrieving access to Charmant ransomware encrypted files without paying criminals is almost impossible. Nevertheless, there is a small chance of recovering files with data recovery software – we provide a few tools below.

Before you proceed, however, you need to make a copy of all the encrypted files, as any actions performed on the machine might permanently damage them.

Charmant ransomware encrypted files

Protect you computer from ransomware attacks in the future

If you are facing a ransomware infection, you are in a tough spot. Unlike most of the other malware that harms users in various ways during their operation, ransomware leaves the encrypted data behind, even after its removal. Many users who get infected are often unaware of this fact and start blaming security software for not being able to deal with a particular threat. The truth is, security software can never do anything about the encrypted files simply because it is not designed for that purpose. Its main goal is to prevent the infections and remove an already existing malware from the system.

However, security software is definitely not enough to protect the computer from ransomware attacks, as malicious actors often utilize methods that can bypass the protection of even the most advanced security tools. For the record, anti-malware software still remains one of the main priorities when it comes to cybersecurity.

Awareness is possibly just as important as comprehensive security solutions, as untrained staff or less experienced computer users will allow malware to be executed in one way or another (for example, allowing a malicious email attachment to run macros).[3] Thus, security experts[4] advise the following:

  • Backup all the important files on a regular basis;
  • Enable firewall to prevent privilege escalation;
  • Adequately protect the RDP: use a strong password, do not use the default TCP and UDP port 3389, limit access to only trusted individuals, enable Network Level Authentication (NLA) via System Properties, etc.
  • Do not download executables from unreliable websites such as torrents or similar sites;
  • Never use software cracks/keygens/loaders;
  • Watch out for unsolicited emails, especially those that has attachments or hyperlinks embedded;
  • Limit network access.

Terminate Charmant ransomware virus and only then attempt to recover the encrypted data

Before you proceed with Charmant ransomware removal, you should keep in mind several factors. For example, malware could delete itself after the file locking process, so its termination could no longer be required, or it may instead be connected to other malicious software present on the machine. With the new variants of malware emerging regularly, especially those which samples have still not yet been analyzed, there is always an uncertainty of what a particular threat is capable of. To put it simply – you should rely on anti-malware software to do the complicated job of Charmant virus termination, and you can also rely on PC repair tools like FortectIntego to fix virus damage.

Additionally, you should not remove Charmant ransomware until you copy all the important files to a separate drive or virtual storage, as they might get corrupted permanently in the process. Once you are ready, access Safe Mode with Networking, as explained below, and fully scan the machine with anti-malware software. After successful removal, you can try using recovery software, or you can still choose to pay cybercriminals for the key – the latter is highly discouraged, although some users may not have another choice.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.