Again ransomware encrypts users' personal files and demands them to pay a ransom

Again ransomware infiltrates the system and starts using complicated encryption algorithms to lock users' personal files, like photos, videos, documents, etc. This makes the files impossible to open and use. The icons also change to white pages and thumbnails become unavailable. This variant belongs to the Babuk ransomware family.
After the encryption process is done, the ransomware appends the files with a .again extension. So if a file was previously named picture.jpg, now it would look like this – picture.jpg.again. Shortly after, a ransom note is usually generated on the machine. It informs users about what has happened to their files and what the cybercriminals want users to do to get them back.
We recommend you to read our guide fully to find information about ransomware distribution methods, and what are your options if you are affected. Even though file recovery is rarely possible without cybercriminals, we have provided a third-party recovery solution that helps in some cases.
| NAME | Again |
| TYPE | Ransomware, cryptovirus, data-locking malware |
| MALWARE FAMILY | Babuk ransomware |
| DISTRIBUTION | Email attachments, peer-to-peer file sharing platforms, malicious ads |
| FILE EXTENSION | .again |
| RANSOM NOTE | How To Restore Your Files.txt |
| FILE RECOVERY | If no backups are available, recovering data is almost impossible. We list alternative methods that could help you in some cases below |
| MALWARE REMOVAL | Scan your machine with anti-malware software to eliminate the malicious files (this will not recover your data) |
| SYSTEM FIX | Malware can seriously tamper with Windows systems, causing errors, crashes, lag, and other stability issues. To remediate the OS and avoid its reinstallation, we recommend scanning it with the FortectIntego repair tool |
The ransom note
The Again ransomware generates a ransom note with a file name How To Restore Your Files.txt. Generally, ransomware developers use the note to explain all the instructions. They typically tell victims that they have to pay money in order to get their files back. The most common choice of payment is cryptocurrencies, and more specifically – Bitcoin.
Hackers choose this form of payment because it is anonymous. Once you make a cryptocurrency transaction it is irreversible, and it is impossible to get the tokens or coins back once you send them to another wallet. It is very risky to pay the ransom to cybercriminals, and here is why.
They cannot be trusted. Many previous ransomware attack victims have come forward and shared their experiences. A lot of people never heard back from the threat actors once they sent the money. You are also in a way encouraging and funding this malicious activity.
Although it may be painful to lose your files, remember that you take a huge risk by paying shady individuals. You might be simply scammed. In this guide, you will find a third-party solution that has helped some people. Threat actors also sometimes release the decryption keys[1] to the public after they have exploited as many people as they could, so your second option should be to just wait.
Distribution methods

Although it is unknown how specifically Again ransomware is spread on the Internet, there are some general tactics that threat actors use to distribute malicious programs. Malicious files can infiltrate the system during “cracked” software[2] installations. Platforms that distribute them, like torrent sites,[3] are unregulated, breeding grounds for all kinds of malware.
Cybercriminals can even use email to deliver ransomware into your system. This can be done by embedding malicious links or attachments in the email. Always be careful, and do not open emails from unknown senders. Even if you received an attachment from someone on your friend list it is better to double-check with them through another platform.
Another common distribution channel is for hackers to use OS or software vulnerabilities. That is why it is vital to keep everything updated. Software developers often release security updates for newly found vulnerabilities, so you can be exposed if you do not do that.
Start the removal process
The important thing to do is to disconnect the affected machine from the local network. For home users, disconnecting the ethernet cable should do the job. If this happened at your workplace, doing that might be complicated, so we have instructions for corporate environments at the bottom of this post.
If you try to recover your data first, it can result in permanent loss. It can also encrypt your files the second time. It will not stop until you remove the malicious files causing it first. You should not attempt removing the malicious program yourself unless you have experience. Manual removal of ransomware is extremely complicated and is suitable for people with advanced IT skills.
Use anti-malware tools like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to scan your system. This security software should find all the related files and entries and remove them automatically for you. In some cases, malware does not let you use antivirus in normal mode, so you need to access Safe Mode and perform a full system scan from there:
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.

Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.

- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.

- Select Troubleshoot.

- Go to Advanced options.
- Select Startup Settings.
- Click Restart.
- Press 5 or click 5) Enable Safe Mode with Networking.

Repair corrupted system files
Performance, stability, and usability issues, to the point where a full Windows reinstall is required, are nothing unusual after malware infection. These types of viruses can alter the Windows registry database, damage vital bootup, and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by malware, antivirus software cannot fix it.
Manual troubleshooting of such damage is also very complicated and can take a long time. This is why FortectIntego was developed. It can fix a lot of the damage caused by an infection like this. Blue Screen errors,[4] freezes, registry errors, damaged DLLs, etc., can make your computer completely unusable. By using this maintenance tool, you could prevent yourself from having to reinstall WIndows completely.
- Download the application by clicking on the link above
- Click on the ReimageRepair.exe
- If User Account Control (UAC) shows up, select Yes
- Press Install and wait till the program finishes the installation process
- The analysis of your machine will begin immediately
- Once complete, check the results – they will be listed in the Summary
- You can now click on each of the issues and fix them manually
- If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

Try recovering data with third-party software
Only hackers hold the decryption key, which can unlock your files, so if you did not back them up previously, there is a good chance that you will never get them back. You can try using data recovery software, but keep in mind that third-party programs cannot always decrypt the files. Whatever the situation may be, we suggest at least trying this method. Before you proceed, copy the corrupted files and place them in a USB flash drive or another external storage device. And remember – only do this if you have already removed the Again ransomware.
Before you begin, several pointers are important while dealing with this situation:
- Since the encrypted data on your computer might permanently be damaged by security or data recovery software, you should first make backups of it – use a USB flash drive or another storage.
- Only attempt to recover your files using this method after you perform a scan with anti-malware software.
Install data recovery software
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.

- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders where you want the files to be recovered from.

- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.

- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.

Was this guide helpful?
Be the first to comment