Vari ransomware – a Djvu virus variant that seeks to extort money by locking users' files

Vari ransomware is a computer virus that is designed for money extortion purposes – it locks all personal data on the host machine and then demands a ransom to be paid for its return. Suchlike modified documents, pictures, videos, databases, and other files are encrypted with a sophisticated RSA cipher and marked with .vari extension.
Additionally, Vari ransomware would drop a ransom note _readme.txt into each of the folders where the locked files are located. This way, victims can find out what happened to their computers and what they need to do in order to regain access to their files. According to malware authors, users need to send an email via helpmanager@mail.ch or restoremanager@airmail.cc and then pay $980 or $490 worth of bitcoins.
Vari file virus is yet another version of the infamous Djvu ransomware family. Malware developers release several versions a month (most recent ones include Oonn, Nile, Kook, Erif, and others), and it is by far the most successful data-encrypting malware that targets regular consumers.
| Name | Vari ransomware |
| Type | File locking virus, crypto-malware |
| Malware family | Djvu/STOP |
| Related | A515.exe |
| Encryption | Malware uses RSA encryption algorithm to lock all personal files on the infected machine |
| File extension | Each of the non-system and non-executable files is appended with .vari extension, e.g., a “picture.jpg” is transformed into “picture.jpg.vari” and is no longer accessible |
| Ransom note | _readme.txt |
| Contact | helpmanager@mail.ch or restoremanager@airmail.cc |
| File recovery | Without backups, data recovery might be impossible. However, in some cases, Emsisoft's decyption tool or third-party programs can be useful |
| Malware removal | Delete the infection by scanning your machine with powerful anti-malware app |
| System fix | In case your computer is crashing, lagging, or experiencing other stability issues after malware elimination, perform a scan with FortectIntego repair software |
Vari ransomware was first spotted by security researcher Michael Gillespie in mid-August 2020.[1] While many other cybercriminal groups choose several distribution methods for the payload delivery, this infection is mainly spread via software cracks/keygens and repacked/pirated installers that can be downloaded on various torrent and similar websites. Thus, if you do not want to deal ransomware infection in the future, stay away from high-risk websites that distribute software cracks.
The malicious executables can be named as anything and, while they typically attempt to disguise under legitimate names, they can also be named as something random as A515.exe or 48cc.pe32. Keep in mind that these malicious files are usually stopped by security programs, but users ignore the warnings and allow them to be executed, infecting them with the Vari file virus.
The infected file 48cc.pe32, which causes the detection, can be detected by various security applications under the following names:[2]
- Win32:BankerX-gen [Trj]
- TR/AD.InstaBot.AR
- Mal/Generic-S
- Trojan:Win32/Zenpak.DEH!MTB
- Malware-Cryptor.Limpopo
- Trojan.Ransom.Stop
Once inside the system, the Vari file virus begins to perform various changes in order to prepare the system for a successful file encryption process. For example, it modifies the Windows registry for persistence purposes, drops a variety of malicious files, deletes Shadow Copies to prevent easy data recovery, etc. While the Vari ransomware removal should revert these changes, we recommend using FortectIntego to fix virus damage and avoid reinstallation of Windows OS.

With the preparations complete, Vari ransomware will begin file encryption process – it usually lasts just a brief moment, although this also depends on the amount of data present on the machine. During this time, malware will show a popup message that closely resembles Windows update prompt. As evident, it is fake and is shown to victims only to prevent them from interrupting the .vari virus file encryption process.
After the data locking process, Vari ransomware will deliver a ransom note _readme.txt, which will explain the situation to users. In the note, it is claimed that there is no other way to recover files besides paying cybercriminals $980 ransom. However, they also offer a 50% discount if the payment is made within 72 hours of the infection. Here is the full message from the malware authors:
ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-ceT7wn7Ioe
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:
helpmanager@mail.chReserve e-mail address to contact us:
restoremanager@airmail.ccYour personal ID:
However, security researchers[3] do not recommend contacting cybercriminals even if they claim to provide “proof” of decryption possibility. Keep in mind that malicious actors might fail to deliver Vari ransomware decryptor after paying the ransom. Besides, they might ask for further payments and keep you in mind as a victim who is willing to pay.
Vari files recovery options
Djvu ransomware strain is one of the most prominent file-locking malware that is targeting regular computer users instead of organizations. Therefore, experts have been putting great effort into helping the infected users to recover .vari files for free. Prior to August 2019, STOPDecrypter could help some victims to recover their data for free, so malware authors were quick to change the encryption method from symmetric AES to asymmetric RSA,[4] which made the file locking much more secure, making the decryption tool obsolete.
Currently, there is no reliable way to decrypt .vari files without backups or paying threat actors. However, as advised before, paying ransomware authors is not recommended due to various reasons.

Thus, if you are asking how to recover .vari files without paying the ransom, there are a few methods that might help some users.
- Use the Emsisoft decryption tool. In case malware failed to contact its Command & Control server, it will use an offline (static) ID to encrypt data. In case somebody retrieves this key after paying criminals and shares with security researchers, it can be added to the database. Thus, if your files were encrypted with an offline ID, there is a chance that this decryption tool will work for you.
- Try built-in backups. Windows stores Shadow Volume Copies which are designed to help you recover data in unexpected circumstances. Unfortunately, malware is almost always programmed to delete these automatic backups, so options such as Windows Previous Versions feature can only work in rare circumstances when Vari ransomware fails to perform as intended.
- Third-party recovery software might sometimes help. In some rare cases, third-party recovery tools might be helpful when trying to recover ransomware-locked files.
Note that anti-malware software will not be able to recover files encrypted by ransomware.
Vari virus is operated by high-profile cybercriminal gang
The gang behind Vari ransomware is one of the prominent ones currently on the scene, as it infects thousands of users daily. It has been performing operations since at least December 2017, when the infamous STOP ransomware was released. Since then, more than 200 versions of the malware have emerged, although some of them can now be decrypted.
Prior to August 2019, threat actors were using a weaker encryption algorithm AES, which allowed security researchers to sometimes help users with the help of tools such as STOPDecrypter. However, hackers obviously do not want that to happen, so they improved the encryption method (all the versions released after the date use asymmetric RSA encryption). Unfortunately, this improvement caused most of the infected users not to be able to retrieve their data for free.
Cybercriminals who own major ransomware strains launch giant distribution campaigns and quite often collaborate with other malware authors. Therefore, once the system is infected with one type of a virus (for example, Vari ransomware), there is a chance that underlying malware is present as well. Previously, Djvu variants were spotted being spread along with AZORult banking trojan. Thus it is vital to delete the ransomware along with other underlying infections from the system as soon as possible.
To increase the success of the strain, malware authors also attempt to prevent users from accessing security-focused websites by modifying Windows “hosts” file – malware inserts all the URLs the attackers do not wish victims to visit into the files. Hence, when trying to search for a Vari virus removal guide, users will simply fail to do so via the web browser.
To prevent this from happening in the future, you can delete the “hosts” file, as it will be recreated automatically, and restrictions will be lifted. Simply navigate to the following location to find it (note that you might be asked for administrator's permissions for the action to be successful):
C:\Windows\System32\drivers\etc\

Remove .Vari virus from your files
Many users believe that they can recover their data as soon as they perform Vari ransomware removal from the system. However, this is a major misconception, as anti-malware software only terminates the infection itself, preventing the encryption of the incoming files. In other words, scanning the machine with anti-malware software will not provide access to Vari virus files.
Despite this, it is extremely important to remove Vari ransomware with the help of powerful anti-malware software like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. Since there are many Djvu variants available, not all security tools will be able to eliminate the infection. Thus, a scan with several different security programs might be needed. Besides, if malware is tampering with your security app, you can access Safe Mode with Networking and perform a scan from there.
Keep in mind that you can stop Vari ransomware before it manages to enter your machine – do not ignore security software warnings. In case you already had the .vari virus encrypted your files and removed the virus but the machine still looks damaged, try scanning with a trusted repair tool like FortectIntego.
Was this guide helpful?
Be the first to comment